b'The SEC\xe2\x80\x99s Implementation of and\nCompliance with Homeland Security\nPresidential Directive 12\n\n\n\n\n                                                                March 31, 2011\n                                                                Report No. 481\n\n\n The SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12   March 31, 2011\n Report No. 481\n                                                 1\n\x0c                                                   UNITED STA.TES\n                                 SECURITIES AND EXCHANGE COMMISSION\n                                             WA.SHINGTON. D.C.        20:549\n\n\n     0 .... \'<:"\'0 ..\n, ..... ECTOR GENERAL\n\n\n\n\n                                          MEMORANDUM\n                                                  March 31,2011\n\n                To:          Diego T. Ruiz, Executive Director, Office of the Executive Director\n                             Jeffrey A. Risinger, Associate Executive Director, Office of Human\n                               Resources\n                             Sharon Sheehan, Associate Executive Director, Office of\n                               Administrative Services\n                             Thomas A. Bayer, Director, Office of Information Technology\n\n                From:         H. David Kotz, Inspector General, Office of Inspector General   (O l~\n                Subject:      The SEC\'s Implementation of and Compliance with HSPD-12,\n                              Report No. 481\n\n                This memorandum transmits the U.S. Securities and Exchange Commission\n                DIG\'s final report detailing the results on our audit of the SEC\'s implementation\n                of and compliance with HSPD-12. This audit was conducted as part of our\n                continuous effort to assess management of the Commission\'s programs and\n                operations and as a part of our annual audit plan.\n\n                The final report contains 25 recommendations which if fully implemented should\n                ensure the Commission\'s full compliance with the HSPD-12 directive. The\n                respective offices concurred with all the report\'s recommendations. Your written\n                response to the draft report is included in Appendix VI.\n\n                Within the next 45 days, please provide the OIG with a written corrective action\n                plan that is designed to address the report\'s recommendations. The corrective\n                action plan should include information such as the responsible official/point of\n                contact. timeframes for completing required actions, and milestones identifying\n                how you will address the recommendations.\n\n\n\n\n            The SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                        March 31, 2011\n            Report No. 481\n                                                            i\n\x0cShould you have any questions regarding this report, please do not hesitate to\ncontact me. We appreciate the courtesy and cooperation that you and your staff\nextended to our auditor during this audit.\n\nAttachment\n\ncc:     Kayla J. Gillan, Deputy Chief of Staff, Office of the Chairman\n        Luis A. Aguilar, Commissioner\n        Troy A. Paredes, Commissioner\n        Elisse B. Walter, Commissioner\n        Jeffery Heslop, Chief Operating Officer, Office of the Chief Operations\n          Officer\n        Cristin Fair, Acting Deputy Director, Office of Human Resources\n        Beth Blackwood, Assistant Director, Office of Administrative Services,\n          Office of Security and Business Operations\n        Lewis W. Walker, Deputy Director, Chief Technology Officer, Office of\n          Information Technology\n\n\n\n\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                March 31, 2011\nReport No. 481\n                                                ii\n\x0cThe SEC\xe2\x80\x99s Implementation of and Compliance\nwith Homeland Security Presidential Directive 12\n\n                                   Executive Summary\nBackground. On August 27, 2004, President George W. Bush signed\nHomeland Security Presidential Directive 12 (HSPD-12), Policy for a Common\nIdentification Standard for Federal Employees and Contractors. This directive\nrequires federal agencies to have programs in place to ensure that identification\nissued by each agency to federal employees and contractors meets a common\nstandard. Those standards and technical specifications were set forth in Federal\nInformation Processing Standards Publication (FIPS) 201, Personal Identity\nVerification (PIV) of Federal Employees and Contractors, which was initially\nissued by the Department of Commerce\xe2\x80\x99s National Institute of Standards and\nTechnology (NIST) on February 25, 2005, and revised in March 2006. On\nAugust 5, 2005, the Office of Management and Budget (OMB) issued\nmemorandum M-05-24, Implementation of Homeland Security Presidential\nDirective (HSPD) 12 -- Policy for a Common Identification Standard for Federal\nEmployees and Contractors (M-05-24), which provided implementation\ninstructions for HSPD-12 and FIPS 201.\n\nThe U.S. Securities and Exchange Commission (SEC) has implemented a\ncollaborative effort to comply with HSPD-12 among three SEC offices: the Office\nof Information Technology (OIT), the Office of Administrative Services (OAS),\nand the Office of Human Resources (OHR). OIT is responsible for overseeing\nthe implementation of the HSPD-12 program, assigning roles and responsibilities\nas requested by OHR\xe2\x80\x99s Personnel Security Branch management, and for\nimplementing technological solutions for the use of HSPD-12 for identification\nand authentication to SEC logical information systems. OAS is responsible for\nenrolling PIV credentials (also referred to as PIV cards or HSPD-12 badges)1 into\nits physical access control system and providing temporary SEC-issued badges\nwhile employees or contractors are awaiting receipt of their PIV credentials.\nOHR is responsible for the most essential component of the SEC\xe2\x80\x99s\nimplementation of and compliance with HSPD-12, which is sponsoring and\nadjudicating the background investigation of an applicant. Further, OHR is\nresponsible for sponsoring the employee or contractor for a PIV credential,\nadjudicating the results of the background investigation (including fingerprints),\ngranting reciprocity as applicable, and informing OIT and OAS that the employee\n\n\n1\n  A \xe2\x80\x9cPIV card\xe2\x80\x9d is defined as \xe2\x80\x9c[a] physical artifact (e.g., identity card, \xe2\x80\x9csmart\xe2\x80\x9d card) issued to an individual that\ncontains stored identity credentials (e.g., photograph, cryptographic keys, digitized fingerprint\nrepresentation) so that the claimed identity of the cardholder can be verified against the stored credentials\nby another person (human readable and verifiable) or an automated process (computer readable and\nverifiable).\xe2\x80\x9d FIPS 201-1, Appendix F, Page 73, http://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-\nchng1.pdf.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                             March 31, 2011\nReport No. 481\n                                                        iii\n\x0cor contractor is eligible for access to SEC facilities and authorized technology\nsystems.\n\nOMB M-05-24 provided multiple milestones for departments and agencies to\nachieve in their implementation of HSPD-12. As of the date of this report, the\nSEC has not met all of the milestones outlined in M-05-24. The SEC has\ninformed OMB, through its quarterly reporting, that it will complete the issuance\nof PIV credentials (i.e., HSPD-12 badges) to all employees and contractors by\nJune 2011, integration of PIV credentials with logical access systems by\nDecember 2011, and integration of PIV credentials with physical access control\nsystems by June 2011.\n\nObjectives. The primary objective of the audit of the SEC\xe2\x80\x99s implementation of\nand compliance with HSPD-12 is to determine if the SEC is fully compliant with\nHSPD-12 and the implementing standards and guidance. The OIG\xe2\x80\x99s specific\naudit objectives were as follows:\n\n    \xe2\x80\xa2   Evaluate whether the SEC has adequate controls and the necessary\n        processes and procedures to perform background investigations,\n        adjudicate results, and issue credentials.\n\n    \xe2\x80\xa2   Evaluate the roles and responsibilities for the HSPD-12 initiative among\n        the various SEC offices involved in the process, including OAS, OHR, and\n        OIT.\n\n    \xe2\x80\xa2   Assess compliance with HSPD-12 and determine whether all the\n        necessary equipment has been purchased to implement HSPD-12\n        throughout the SEC.\n\n    \xe2\x80\xa2   Evaluate whether the HSPD-12 processes and procedures are\n        consistently applied throughout the SEC (i.e., at SEC headquarters and\n        the regional offices).\n\nPrior OIG Reports and Memoranda. Four prior OIG reports and memoranda\nare relevant to this audit:\n\n    \xe2\x80\xa2   OIG Report of Investigation No. OIG-544, OIT Contract Employees Given\n        Access to SEC Buildings and Computer Systems for Several Weeks\n        Before Background Investigation Clearance, issued on January 20, 2011,\n        which contained four recommendations to strengthen management\n        controls pertaining to contractor access to SEC facilities and information\n        systems.\n    \xe2\x80\xa2   OIG Inspection Report No. 434, Background Investigations, issued on\n        March 28, 2008, which contained nine recommendations to strengthen\n        management controls over OHR\xe2\x80\x99s background investigation program.\n\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                 March 31, 2011\nReport No. 481\n                                               iv\n\x0c    \xe2\x80\xa2   OIG Investigative Memorandum No. G-444\xc2\xb8Law Student Observer\n        Program, issued on June 29, 2006, which contained three\n        recommendations to strengthen management controls over OHR\xe2\x80\x99s\n        background investigation program, specifically for interns selected through\n        the SEC\xe2\x80\x99s Law Student Observer Program.\n    \xe2\x80\xa2   OIG Audit Memorandum No. 39, Operations Center Building Security,\n        issued on July 14, 2005, which contained three recommendations to\n        strengthen management controls over building security at the SEC\n        Operations Center located in Alexandria, Virginia.\n\nResults. The OIG audit found deficiencies in nearly every aspect of the SEC\xe2\x80\x99s\nHSPD-12 program, as well as significant concerns about the SEC\xe2\x80\x99s authority to\ndetermine eligibility for access to classified information and the current process\nfor granting temporary access to SEC facilities.\n\nWe found that the SEC has missed virtually all the deadlines established by OMB\nguidance for implementation of HSPD-12. M-05-24 required agencies to develop\na plan and begin the required background investigations for current employees\nwho did not have an initiated or successfully adjudicated investigation on record\nby October 27, 2005. 2 Our audit found no formal documentation of any such\nplan and, we were thus unable to confirm if the SEC ever satisfied this\nrequirement. M-05-24 further required agencies to verify and/or complete\nbackground investigations for all current employees, excluding those who have\nbeen employed by the federal government over 15 years, by October 27, 2007. 3\nOur audit found that the SEC did not verify and/or complete background\ninvestigations for all current employees, excluding those who have been\nemployed by the federal government more than 15 years, until March or April of\n2009 -- approximately a year and a half after the October 27, 2007, completion\ndate required by M-05-24. Further, M-05-24 required, \xe2\x80\x9cFor individuals who have\nbeen federal department or agency employees over 15 years, a new\ninvestigation may be delayed, commensurate with risk, but must be completed\nno later than October 27, 2008.\xe2\x80\x9d 4 Our audit found that as of December 31, 2010,\nthe SEC has not verified and/or completed background investigations for 1,263\nemployees who have more than 15 years of federal government service.\n\nM-05-24 also required agencies to develop a plan and begin the required\nbackground investigations for all current contractors who did not have a\nsuccessfully adjudicated investigation on record by October 27, 2005. 5 Our audit\nfound that the SEC has not developed a plan commensurate with risk, for\ncompletion of background investigations for all current contractors who do not\nhave a successfully adjudicated investigation on record. We also found that the\n\n2\n  OMB Memorandum M-05-24, Implementation for Homeland Security Presidential Directive (HSPD) 12 \xe2\x80\x93\nPolicy for a Common Identification Standard for Federal Employees and Contractors, page 6.\nhttp://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2005/m05-24.pdf.\n3\n  M-05-24, page 6, http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2005/m05-24.pdf.\n4\n  M-05-24, page 6, http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2005/m05-24.pdf.\n5\n  M-05-24, page 6, http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2005/m05-24.pdf.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                   March 31, 2011\nReport No. 481\n                                                   v\n\x0cSEC is currently unable to determine the actual number of contractors who are\nemployed by the SEC; thus, there is a serious question as to whether the SEC\naccurately reported its statistics related to contractors in its December 31, 2010,\nquarterly HSPD-12 Implementation Status Report to OMB.\n\nFurther, M-05-24 required that agencies adopt and accredit a registration\nprocess and initiate an appropriate background investigation for all new\nemployees and contractors by October 27, 2005. 6 We found that the SEC, as it\nreported to OMB, only began issuing PIV credentials to all new employees and\ncontractors as part of the onboarding process in April 2010, and the SEC has\nfailed to meet the October 27, 2005 deadline by several years.\n\nDuring our audit, we compared the SEC\xe2\x80\x99s September 2010 quarterly HSPD-12\nImplementation Status Report with reports of (1) other federal financial agencies\nand (2) federal agencies of similar size to the SEC. We found that the SEC\nlagged well behind both other agencies with similar missions and those with\nsimilar numbers of employees. As of September 30, 2010, the SEC reported that\nonly 61 percent of its employees and contractors had been issued PIV cards,\nwhile all of the other agencies we reviewed reported that they had issued PIV\ncards to over 90 percent of their employees and contractors.\n\nOur audit also found that since June 30, 2008, the SEC has adjudicated and\ndetermined the eligibility of 26 employees and contractors to access classified\ninformation without receipt of delegated authority from the Director of National\nIntelligence (DNI), which Executive Order 13467 established as the final authority\nto designate an agency to make such determinations. We also found that the\nSEC\xe2\x80\x99s determinations of eligibility for access to classified information were based\non incorrect policies and procedures. Additionally, we found that OAS\xe2\x80\x99s Physical\nSecurity Branch is making eligibility determinations for applicants seeking\ntemporary access to SEC facilities without the proper authority. Moreover, the\nPhysical Security Branch is not using the appropriate standards for making these\ndeterminations.\n\nOur audit also found that the SEC\xe2\x80\x99s regional offices have not consistently\nenrolled PIV badges into the SEC\xe2\x80\x99s physical access control system. In addition,\nthe SEC\xe2\x80\x99s badging policy is outdated and does not include policies and\nprocedures for issuing and revoking badges, or for requiring the use of the PIV\ncredentials as the common means of authentication for access to SEC facilities\nand information systems. We further found that OHR\xe2\x80\x99s Personnel Security\nBranch does not have policies or procedures specific to adjudicating foreign\nnationals.\n\nFurther, our audit determined that OIT\xe2\x80\x99s asset inventory does not account for\nkeyboards (some of which contain card readers that could be used to\nauthenticate PIV credentials) and lacks detail necessary to identify laptops that\n6\n M-05-24, page 6, http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2005/m05-24.pdf.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                March 31, 2011\nReport No. 481\n                                                 vi\n\x0chave card readers. Without this information, OIT might unnecessarily purchase\nnew keyboards and laptops with card readers or external card readers.\nOur audit also disclosed that OIT employs two full-time registrars, who are\nresponsible for validating an applicant\xe2\x80\x99s identity, ensuring the successful\ncompletion of background checks, and providing approval for the issuance of a\nPIV credential to the applicant. Our audit found that the SEC expended a total of\napproximately $144,000 to employ registrars between June 2009 and December\n2010, which would have been avoided if the SEC had implemented HSPD-12\nwithin the required timeframes. Moreover, our audit found that based on the\naverage number of transactions processed per day, the SEC only requires one\npart-time registrar. We also found that the SEC did not conduct an analysis\nbefore employing a second full-time registrar or consider alternatives, such as\nsplitting the time of the existing registrar between both facilities or hiring a part-\ntime registrar to work at the Operations Center. As a result, the SEC has\nexpended unnecessary costs to employ two full-time registrars when, based on\nan eight-hour workday, the registrars combined are spending an average of only\ntwo hours per day processing transactions. Our audit concluded that the SEC\ncould save $108,000 annually by employing one part-time registrar, rather than\ntwo full-time registrars.\n\nFinally, the audit found that OAS\xe2\x80\x99s Physical Security Branch is not maintaining\nvisitor record logs in accordance with the National Archives and Records\nAdministration\xe2\x80\x99s (NARA) General Records Schedule retention requirement of two\nyears. Because the Physical Security Branch is retaining such records for only\n90 days, it is unable to analyze visitor logs effectively to determine if visitors are\naccessing the agency inappropriately (i.e., circumventing the badging process if\nthey require access for more than six months).\n\nSummary of Recommendations. Our audit determined that numerous\nimprovements were required in order to ensure that the SEC becomes compliant\nwith HSPD-12. Specifically, we recommended that:\n\n        (1)   OHR immediately prepare formal documented plans for\n              initiating background investigations for all current employees\n              who do not have successfully adjudicated background\n              investigations on record, commensurate with risk;\n\n        (2)   OHR immediately, but no later than 90 days after the issuance\n              of this report, initiate background investigations for all current\n              employees who do not have successfully adjudicated\n              investigations on record, commensurate with risk;\n\n        (3)   OAS should identify and develop a consolidated list of all\n              contractors employed by the SEC, and coordinate with the\n              Contracting Officer\xe2\x80\x99s Technical Representatives and\n\n\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                    March 31, 2011\nReport No. 481\n                                               vii\n\x0c              Inspection and Acceptance Officials to implement policies and\n              procedures for ensuring that the list remains up to date;\n\n        (4)   OAS provide the OHR\xe2\x80\x99s Personnel Security Branch with a\n              copy of the up-to-date consolidated contractor list on a weekly\n              basis;\n\n        (5)   OHR\xe2\x80\x99s Personnel Security Branch, upon receipt of the up-to-\n              date consolidated contractor list, should determine which\n              contractors do not have successfully adjudicated\n              investigations on record and develop a plan to begin the\n              required background investigations immediately;\n\n        (6)   OHR, upon receipt of the up-to-date consolidated contractor\n              list, ensure that accurate status reporting has been made to\n              OMB;\n\n        (7)   OED discontinue adjudicating all eligibility determinations for\n              access to classified information or holding a sensitive position\n              until the SEC has received an appropriate delegation of\n              authority to conduct such determinations from the DNI;\n\n        (8)   OED identify all eligibility determinations for access to\n              classified information or holding a sensitive position\n              adjudicated by the SEC since June 30, 2008, and, upon\n              receipt of authority from the DNI, conduct a quality control\n              assessment to ensure that the determinations were conducted\n              in accordance with the uniform policies and procedures\n              developed by DNI;\n\n        (9)  OED, upon receipt of authority from the DNI to make eligibility\n             determinations for access to classified information or holding a\n             sensitive position, should use the DNI\xe2\x80\x99s uniform policies and\n             procedures developed by DNI when making such\n             determinations;.\n        (10) OAS immediately discontinue making eligibility determinations\n             for persons requiring temporary access to SEC facilities or\n             information systems without proper authorization;\n\n        (11) OAS immediately provide OHR\xe2\x80\x99s Personnel Security Branch\n             with a list of all persons who have been provided or denied\n             access based on the Physical Security Branch\xe2\x80\x99s risk\n             assessments, as well as a copy of all fingerprints records,\n             supporting documentation, and the results of the risk\n             assessments;\n\n\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                  March 31, 2011\nReport No. 481\n                                               viii\n\x0c        (12) OHR, in coordination with OAS, should develop policies and\n             procedures for determining the eligibility of contractors,\n             visitors, and guests requiring temporary access to SEC\xe2\x80\x99s\n             facilities or information systems;\n\n        (13) OAS communicate to regional office staff its expectations for\n             enrolling PIV credentials into their physical access control\n             systems and using the PIV credential as the primary badge for\n             physical access to SEC facilities;\n\n        (14) OAS require administrative officers in the regional offices, or\n             designated points of contact, to enroll PIV cards in the SEC\xe2\x80\x99s\n             physical access control system;\n\n        (15) OED communicate to all SEC employees and contractors their\n             responsibility to inform the appropriate regional office official\n             that they have been issued a Personal Identity Verification\n             card so the card can be enrolled into the SEC\xe2\x80\x99s physical\n             access control system;\n\n        (16) OED develop and implement a policy requiring the PIV badge\n             to be used as a common and primary means of authentication\n             for physical and logical access;\n\n        (17) OAS revise and update its Identification Cards, Press Passes\n             and Proximity Access Control Cards policy to reflect current\n             and proper practices for issuance and revocation of badges,\n             including PIV cards, to SEC employees and contractors at all\n             SEC facilities, post the revised policy on the SEC\xe2\x80\x99s intranet\n             site, and communicate the new policy to all employees and\n             contracting officials;\n\n        (18) OAS develop and implement a plan to systematically revoke\n             all SEC-issued badges for all employees and contractors who\n             have been issued HSPD-12 badges and ensure that the plan\n             is implemented no later than six months after the date this\n             report is issued;\n\n        (19) OHR develop, implement, and post in multiple locations (e.g.,\n             SEC intranet site, human resources offices, regional offices)\n             and provide at contractor orientation its appeals procedures\n             for individuals who are denied credentials or whose\n             credentials are revoked;\n\n        (20) OHR develop internal policies and procedures for suitability\n             determinations for foreign nationals;\n\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                 March 31, 2011\nReport No. 481\n                                               ix\n\x0c        (21) OIT immediately conduct an audit of its inventory to identify\n             and track all keyboards and laptops that contain card readers;\n\n        (22) OIT promptly deploy appropriate technology (e.g., laptops with\n             internal card readers, keyboards with card readers, or external\n             card readers) to employees and contractors who do not have\n             card readers;\n\n        (23) OIT eliminate one full-time registrar and split the time of the\n             other full-time registrar between the Operations Center and\n             headquarters locations;\n\n        (24) OAS retain visitor control logs for a period not less than two\n             years after final entry or two years after date of document in\n             accordance with the NARA\xe2\x80\x99s General Records Schedule; and\n\n        (25) OAS perform periodic analysis of visitor data to ensure that\n             visitors are not circumventing the HSPD-12 requirements.\n\n\n\n\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                   March 31, 2011\nReport No. 481\n                                                x\n\x0cTABLE OF CONTENTS\nExecutive Summary ......................................................................................................iii\n\nTable of Contents ........................................................................................................ xi\n\nBackground and Objectives .................................................................................. 1\n     Background ....................................................................................................... 1\n     Objectives .......................................................................................................... 5\n\nFindings and Recommendations .......................................................................... 7\n     Finding 1: The SEC Has Not Issued PIV Credentials to All Employees\n     and Contractors and Lags Behind Other Federal Agencies in\n     Implementing HSPD-12 ..................................................................................... 7\n                  Recommendation 1..................................................................... 14\n                  Recommendation 2..................................................................... 15\n                  Recommendation 3..................................................................... 15\n                  Recommendation 4..................................................................... 15\n                  Recommendation 5..................................................................... 16\n                  Recommendation 6..................................................................... 16\n\n         Finding 2: The SEC Does Not Have the Authority to Determine Eligibility of\n         a Person for Access to Classified Information .................................................. 17\n                      Recommendation 7..................................................................... 19\n                      Recommendation 8..................................................................... 20\n                      Recommendation 9..................................................................... 20\n\n         Finding 3: OAS\xe2\x80\x99s Physical Security Branch Is Making Eligibility\n         Determinations for Applicants Seeking Temporary Access to SEC\n         Facilities Without the Proper Authority ............................................................. 20\n                        Recommendation 10................................................................... 23\n                        Recommendation 11................................................................... 23\n                        Recommendation 12................................................................... 23\n\n         Finding 4: PIV Cards Are Not Consistently Enrolled in the SEC\xe2\x80\x99s Physical\n         Access Control System and Badge Requirements for Physical Access to\n         SEC Facilities Have Not Been Communicated to All Employees and\n         Contractors....................................................................................................... 24\n                       Recommendation 13................................................................... 26\n                       Recommendation 14................................................................... 26\n                       Recommendation 15................................................................... 27\n\n\n\n\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                              March 31, 2011\nReport No. 481\n                                                         xi\n\x0c         Finding 5: OAS\xe2\x80\x99s Physical Security Branch Badging Policy Is Outdated\n         and Does Not Include Procedures for Issuance and Revoking of Badges ....... 27\n                      Recommendation 16................................................................... 31\n                      Recommendation 17................................................................... 32\n                      Recommendation 18................................................................... 32\n                      Recommendation 19................................................................... 32\n\n         Finding 6: OHR\xe2\x80\x99s Personnel Security Branch Does Not Have Policies and\n         Procedures for Adjudicating Foreign Nationals ................................................ 33\n                      Recommendation 20................................................................... 34\n\n         Finding 7: OIT Is Unaware of the Number of Devices in Its Inventory That\n         Would Physically Permit Authentication of PIV Cardholders Accessing\n         SEC\xe2\x80\x99s Logical Information Resources .............................................................. 34\n                      Recommendation 21................................................................... 35\n                      Recommendation 22................................................................... 35\n\n         Finding 8: OIT Has Unnecessarily Employed Two Full-Time Registrars .......... 36\n                      Recommendation 23................................................................... 39\n\n         Finding 9: OAS\xe2\x80\x99s Physical Security Branch Is Not Maintaining Visitor Logs\n         in Accordance with the Applicable Record Retention Policies.......................... 39\n                      Recommendation 24................................................................... 41\n                      Recommendation 25................................................................... 41\n\nAppendices\n    Appendix I: Acronyms/Abbreviations. ............................................................ 42\n    Appendix II: Scope and Methodology ............................................................. 43\n    Appendix III Criteria ........................................................................................ 47\n    Appendix IV: List of Recommendations ........................................................... 49\n    Appendix V: Schedule of Cost Savings ........................................................... 54\n    Appendix VI: Management\xe2\x80\x99s Comments .......................................................... 55\n    Appendix VII: OIG Response to Management\xe2\x80\x99s Comments............................. 60\n\nTables\n         Table1: Dates and Actions That Should Be Completed by Each\n                     Department and Agency As Stated in the Implementation\n                     Standard .............................................................................................. 2\n         Table 2:    Comparison of SEC to Other Federal Financial Agencies................. 12\n         Table 3:    Comparison of SEC to Other Similar Sized Federal Agencies .......... 13\n         Table 4:    Number of Transactions Processed between May 2010 and\n                     November 2010 by Registrars ........................................................... 37\n         Table 5:    Schedule of Cost Savings ................................................................. 54\n\n\n\n\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                             March 31, 2011\nReport No. 481\n                                                        xii\n\x0c                    Background and Objectives\n\nBackground\nIssuance of HSPD-12 and Implementing Standards and Guidance. On\nAugust 27, 2004, President George W. Bush signed Homeland Security\nPresidential Directive 12 (HSPD-12), Policy for a Common Identification\nStandard for Federal Employees and Contractors. 7 This directive requires\nfederal agencies to have programs in place to ensure that the identifications\nissued by each agency to federal employees and contractors meet a common\nstandard. Those standards and technical specifications were set forth in Federal\nInformation Processing Standards Publication (FIPS) 201, Personal Identity\nVerification (PIV) of Federal Employees and Contractors, which was initially\nissued by the National Institute of Standards and Technology (NIST) on February\n25, 2005, and updated in March 2006 with the issuance of FIPS 201-1. On\nAugust 5, 2005, the Office of Management and Budget (OMB) issued\nmemorandum M-05-24, Implementation of Homeland Security Presidential\nDirective (HSPD) 12 \xe2\x80\x93 Policy for a Common Identification Standard for Federal\nEmployees and Contractors (M-05-24), which provides instructions for\nimplementing HSPD-12 and FIPS 201. 8 Further, M-05-24 required all employees\nand contractors needing access for periods longer than six months to comply\nwith the background investigation requirements of FIPS 201. FIPS 201 requires\nthe completion of a background investigation consisting of a National Agency\nCheck with Inquiries (NACI) or other Office of Personnel Management (OPM) or\nNational Security community investigation. 9\n\nImplementation Requirements. As described in M-05-24, department and\nagency implementation of HSPD-12 contains two parts: Part 1 \xe2\x80\x93 Common\nIdentification, Security, and Privacy Requirements and Part 2 \xe2\x80\x93 Government-wide\nUniformity and Interoperability. Part 1 defines the minimum requirements for a\nfederal personal identification system that meets the control and security\nobjectives of HSPD-12, including personal identify proofing, registration, and\nissuance process for employees and contractors. Part 2 details the\nspecifications used to support the technical interoperability among departments\nand agencies, which include card elements, system interfaces, and security\n7\n  Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for\nFederal Employees and Contractors (http://www.whitehouse.gov/news/releases/2004/08/20040827-8.html).\n8\n  Office of Management and Budget (OMB) Memorandum M-05-24, Implementation of Homeland Security\nPresidential Directive (HSPD) 12 \xe2\x80\x93 Policy for a Common Identification Standard for Federal Employees and\nContractor, (M-05-24), August 5, 2005 (http://www.whitehouse.gov/omb/memoranda/fy2005/m05-24.pdf).\n9\n  A NACI is the \xe2\x80\x9cbasic and minimum investigation required on all new federal employees consisting of a NAC\n[National Agency Check] with written inquiries and searches of records covering specific areas of an\nindividual\xe2\x80\x99s background during the past five years (inquiries sent to current and past employers, schools\nattended, references, and local law enforcement authorities).\xe2\x80\x9d Federal Information Processing Standards\nPublication 201-1 (FIPS 201-1), Personal Identity Verification (PIV) of Federal Employees and Contractors,\nMarch 2006, Appendix C, page 66, http://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf.\n\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                   March 31, 2011\nReport No. 481\n                                                    1\n\x0ccontrols required to securely store and retrieve data from the card. M-05-24\nprovides dates by which all departments and agencies should complete their\nimplementation of HSPD-12, as reflected in Table 1 below:\n\n        Table 1: Dates and Actions That Should Be Completed by Each\n        Department and Agency\n         Date                                            Agency Action\n         06/27/2005          Submit implementation plans to OMB\n         10/27/2005          Comply with FIPS 201, Part I\n         10/27/2006          Begin compliance with FIPS 201, Part 2\n         10/27/2007          Verify and/or complete background investigations for all current\n                             employees and contractors\n         10/27/2008          Complete background investigations for all federal departments\n                             or agency employees employed over 15 years\n         Source: OMB Memorandum M-05-24, Implementation of Homeland Security Presidential\n         Directive (HSPD) 12 \xe2\x80\x93 Policy for a Common Identification Standard for Federal Employees\n         and Contractors, August 5, 2005, page 4, Section 2.B.\n\nFurther, agencies are required to acquire and use federally approved products\nand services that are compliant with FIPS 201 and included on the approved\nproducts list. In addition, departments and agencies are encouraged to use the\nacquisition services provided by the General Services Administration (GSA). For\nsmall departments and agencies where it may not be cost-effective to procure\ntheir own products or services, M-05-24 indicates that GSA will identify agency\nsponsors to provide the services. The U.S. Securities and Exchange\nCommission (SEC or Commission) determined that it would be cost-prohibitive to\nacquire and use its own federally approved products and services. As a result, in\nAugust 2008, the SEC entered into an interagency agreement with GSA to\nprovide these products and services.\n\nFurthermore, under FIPS 201, agencies are required to report annually on the\nnumbers of agency-issued credentials, including (1) general credentials and (2)\nspecial-risk credentials. The SEC reports this data to OMB and posts its HSPD-\n12 Implementation Status Report on the SEC\xe2\x80\x99s website quarterly.\n\nRoles and Responsibilities. The SEC implemented a collaborative effort to\ncomply with HSPD-12 among three SEC offices: the Office of Information\nTechnology (OIT), the Office of Administrative Services (OAS), and the Office of\nHuman Resources (OHR). OIT is responsible for overseeing the implementation\nof the HSPD-12 program, assigning roles and responsibilities as requested by\nOHR\xe2\x80\x99s Personnel Security Branch management, and implementing logical and\ntechnology solutions for the use of HSPD-12 for identification and authentication\nto SEC logical information systems. OAS is responsible for enrolling PIV\ncredentials 10 into its physical access control system and providing temporary\n\n10\n  A \xe2\x80\x9cPIV card\xe2\x80\x9d is defined as \xe2\x80\x9c[a] physical artifact (e.g., identity card, \xe2\x80\x9csmart\xe2\x80\x9d card) issued to an individual that\ncontains stored identity credentials (e.g., photograph, cryptographic keys, digitized fingerprint\nrepresentation) so that the claimed identity of the cardholder can be verified against the stored credentials\nby another person (human readable and verifiable) or an automated process (computer readable and\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                            March 31, 2011\nReport No. 481\n                                                         2\n\x0cSEC-issued badges while employees or contractors are awaiting receipt of their\nPIV credentials (also referred to as a PIV card or HSPD-12 badge).\n\nOHR is responsible for the most essential component of the SEC\xe2\x80\x99s\nimplementation of and compliance with HSPD-12, which is sponsoring and\nadjudicating the background investigation of an applicant. Further, OHR is\nresponsible for sponsoring the employee or contractor for a PIV credential,\nadjudicating the results of the background investigation (including fingerprints),\ngranting reciprocity as applicable, and informing OIT and OAS that the employee\nor contractor is eligible for access to the SEC facilities and authorized technology\nsystems.\n\nIn addition to the three SEC offices, GSA, the Federal Bureau of Investigation\n(FBI), OPM, and the Director of National Intelligence (DNI) also have roles and\nresponsibilities in the SEC\xe2\x80\x99s implementation of and compliance with HSPD-12.\nGSA is responsible for registering, issuing, and activating the PIV credentials on\nbehalf of the SEC. The FBI is responsible for receiving fingerprints and providing\nresults of the criminal record checks of employees or contractors to the SEC to\nbe adjudicated prior to issuing SEC badges 11 or PIV credentials. OPM is\nresponsible for providing oversight of, and developing and implementing uniform\nand consistent policies and procedures for, the completion of investigations and\nadjudications relating to suitability determinations and eligibility for logical and\nphysical access. In addition, OPM designates agencies to adjudicate suitability\neligibility determinations for logical and physical access. The DNI is responsible\nfor the oversight of investigations and determination of eligibility for access to\nclassified information, including developing uniform policies and procedures\nrelated to determinations of eligibility for access to classified information.\nFurther, the DNI is responsible for delegating agencies the authority to determine\neligibility to accessed classified information in accordance with Executive Order\n12968, Access to Classified Information.\n\nThis collaborative effort requires diligence among all the SEC offices involved in\nthe process, with a special emphasis on OHR, which is responsible for\nsponsoring the employee or contractor for the PIV credential and adjudicating the\nresults of the background investigation. Below is a description of the\nresponsibilities of each role that is held by OHR staff members.\n\n    \xe2\x80\xa2    Sponsor: As of December 13, 2010, the SEC had three sponsors. 12 A\n         sponsor\xe2\x80\x99s role is to substantiate the need for a PIV credential to be issued\n\nverifiable).\xe2\x80\x9d FIPS 201-1, Appendix F, Page 73, http://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-\nchng1.pdf.\n11\n   SEC-issued badges include several types of badges: an SEC government employee badge that has a\ndark blue background; an SEC contractor employee badge that has an orange background; an on-site\nbusiness badge that has a light blue background; an intern badge that has a red background; a badge\nissued to employees of other federal agencies who are working at the SEC pursuant to interagency\nagreements that has a black bar with stripes; a visitor badge; and an employee day pass that is paper.\n12\n   This information was obtained from the GSA USAccess program, Role Assignment Report, printed\n12/13/2010 at 4:35:06 pm.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                         March 31, 2011\nReport No. 481\n                                                      3\n\x0c         to an applicant. The sponsor is responsible for entering the applicant\xe2\x80\x99s\n         biographical information and other data into the GSA USAccess system\n         once a request has been received from a contracting official or OHR\xe2\x80\x99s\n         Talent Management Branches. The sponsors are located in the\n         Personnel Security Branch within OHR.\n\n     \xe2\x80\xa2   Adjudicator: As of December 13, 2010, the SEC had three\n         adjudicators. 13 An adjudicator is responsible for recording the adjudication\n         results of the applicant. A \xe2\x80\x9cpositive\xe2\x80\x9d or \xe2\x80\x9cfavorable\xe2\x80\x9d adjudication will initiate\n         the PIV credential issuance process. Adjudicators are assigned within the\n         Personnel Security Branch.\n\nIn addition, the roles and responsibilities of the GSA Managed Service Office\n(MSO) 14 staff includes registering, issuing, and activating PIV credentials, which\nare significant functions in the implementation of and compliance with HSPD-12.\nMSO staff roles are described below.\n\n     \xe2\x80\xa2   Registrar: The registrar is responsible for validating the applicant\xe2\x80\x99s\n         identity (i.e., identity proofing) by inspecting two identity documents, one of\n         which must be a government-issued photo identification. Also, the\n         registrar collects biographical information from the identity documents,\n         takes a photograph, and collects rolled fingerprints from the applicant.\n         Registers are not specific to an agency, but rather are provided by the\n         MSO. Registrars are located in MSO offices throughout the United States.\n         The SEC has two registrars located on site, one at headquarters and\n         another at the Operations Center.\n\n     \xe2\x80\xa2   Issuer: The issuance process is completely automated and, as a\n         consequence, a physical person is not required to complete the task of\n         issuing the PIV credential. USAccess, the GSA application used by MSO\n         to process the PIV credential request, produces the PIV credential and\n         issues the PIV card to the MSO for activation. 15\n\n     \xe2\x80\xa2   Activator: The activator is responsible for verifying that the applicant is\n         the person to whom the PIV card should be issued and assists the\n         applicant in activating the PIV credential. 16\n\nImplementation Delays. In the early stages of implementing HSPD-12, as\nreferenced in the OIG Inspection Background Investigations, Report No. 434,\n\n13\n   This information was obtained from the GSA USAccess program, Role Assignment Report, printed\n12/13/2010 at 4:35:06 pm.\n14\n   A GSA MSO is a managed shared service solution that simplifies the process of procuring and\nmaintaining PIV-compliant credentials and provides turn-key services to federal agencies in satisfying the\nrequirements of OMB Memorandum M-05-24. For additional information, see http://www.fedidcard.\ngov/aboutmso.aspx.\n15\n   PIV Card Issuer Operations Plan, GSA MSO, CM# GSA-DI-0000129-1.4.0, p. 35.\n16\n   PIV Card Issuer Operations Plan, GSA MSO, CM# GSA-DI-0000129-1.4.0, p. 37.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                      March 31, 2011\nReport No. 481\n                                                    4\n\x0cissued on March 28, 2008, the SEC faced multiple challenges, such as a lack of\nresources to adjudicate the number of applicants and a paper-based onboarding\nprocess. However, since 2008, Personnel Security has increased its staff from\none adjudicator to three adjudicators and has automated the onboarding\nprocess.\n\nImplementation Status. The SEC has provided to OPM, on a quarterly basis,\nHSPD-12 Implementation Status Reports. 17 As of December 2010, the SEC\ninformed OMB that it would continue to not comply with several deadlines\nrequired by M-05-24, including (1) completion of the issuance of PIV credentials\nto all employees and contractors, (2) adjudications or verifications of background\ninvestigations for all employees and contractors, (3) integration of PIV credentials\nwith logical access systems, and (4) integration of PIV credentials with physical\naccess systems. In addition, the SEC informed OMB in its December 2010\nquarterly report that 1,238 18 of its approximately 3,907 employees 19 and 785 20 of\nits approximately 1,427 contractors 21 still require PIV credentials. Further, the\nSEC informed OMB that it would complete the integration of PIV credentials with\nits logical access systems by December 2011.\n\nObjectives\nIn accordance with its annual audit plan, the OIG conducted an audit of the\nCommission\xe2\x80\x99s implementation of HSPD-12. The primary objective of this audit of\nthe SEC\xe2\x80\x99s implementation of and compliance with HSPD-12 is to determine if the\nSEC is fully compliant with HSPD-12 and the implementing standards and\nguidance. The specific audit objectives were as follows:\n\n     \xe2\x80\xa2   Evaluate whether the SEC has adequate controls and the necessary\n         processes and procedures to perform background investigations,\n         adjudicate results, and issue credentials.\n\n     \xe2\x80\xa2   Evaluate the roles and responsibilities for the HSPD-12 initiative among\n\n17\n   The most recent Implementation Status Report, issued in December 2010, can be found at\nhttp://www.sec.gov/about/piv_report_for_omb.pdf.\n18\n   This number represents the \xe2\x80\x9cNumber of Employees requiring PIV credentials\xe2\x80\x9d as reported by the SEC to\nOMB in December 2010 in its HSPD-12 Implementation Status Report,\nhttp://www.sec.gov/about/piv_report_for_omb.pdf (accessed on 02/01/2011).\n19\n   This number represents the sum of the \xe2\x80\x9cTotal Number of PIV credentials Issued to Employees\xe2\x80\x9d (2,669)\nand \xe2\x80\x9cNumber of Employees requiring PIV credentials\xe2\x80\x9d (1,238) as reported by the SEC to OMB in December\n2010 in its HSPD-12 Implementation Status Report, http://www.sec.gov/about/piv_report_for_omb.pdf\n(accessed on 02/01/2011).\n20\n   This number represents the \xe2\x80\x9cNumber of Contractors requiring PIV credentials\xe2\x80\x9d as reported by the SEC to\nOMB on December 2010 in its HSPD-12 Implementation Status Report,\nhttp://www.sec.gov/about/piv_report_for_omb.pdf (accessed on 02/01/2011).\n21\n   The total number of contractors was calculated using data provided in the SEC\xe2\x80\x99s December 2010\nquarterly HSPD-12 Implementation Status Report. The total number of contractors (1,427) is the sum of the\n\xe2\x80\x9cNumber of Contractors requiring PIV credentials\xe2\x80\x9d (785) and \xe2\x80\x9cTotal Number of PIV Credentials Issued to\nContractors\xe2\x80\x9d (642), although Personnel Security Branch staff acknowledged that they were unsure of the\nactual total number of SEC contractors.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                     March 31, 2011\nReport No. 481\n                                                    5\n\x0c        the various offices involved in the process, including OAS, OHR, and OIT.\n\n    \xe2\x80\xa2   Assess compliance with HSPD-12 and determine whether all the\n        necessary equipment has been purchased to implement HSPD-12\n        throughout the SEC.\n\n    \xe2\x80\xa2   Evaluate whether the HSPD-12 processes and procedures are\n        consistently applied throughout the SEC (i.e., at headquarters and the\n        regional offices).\n\n\n\n\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12               March 31, 2011\nReport No. 481\n                                                6\n\x0c              Findings and Recommendations\n\nFinding 1: The SEC Has Not Issued PIV\nCredentials to All Employees and Contractors\nand Lags Behind Other Federal Agencies in\nImplementing HSPD-12\n        The SEC has not issued PIV credentials to all employees\n        and contractors in accordance with HSPD-12. In addition,\n        the SEC does not have a formal, documented plan for\n        completing the implementation of HSPD-12 and is unable to\n        account for all of the contractors employed by the agency.\n        As a result, the SEC is not compliant with HSPD-12 and lags\n        behind other federal financial agencies and agencies of\n        similar size in implementing the directive.\n\nOn August 27, 2004, the President signed HSPD-12, Policy for a Common\nIdentification Standard for Federal Employees and Contractors, which requires\nthe development and agency implementation of a mandatory, government-wide\nstandard for secure and reliable forms of identification for federal employees and\ncontractors. The OMB, on August 5, 2005, issued Implementation Standards,\nOMB Memorandum, M-05-24, Implementation of Homeland Security Presidential\nDirective (HSPD) 12 \xe2\x80\x93 Policy for a Common Identification Standard for Federal\nEmployees and Contractors (M-05-24), which provides guidance for agencies\xe2\x80\x99\nimplementation of HSPD-12. M-05-24 provides specific requirements and\ndeadlines for departments and agencies to achieve for issuing the PIV\ncredentials (also referred to as HSPD-12 badges or cards) to employees and\ncontractors. Under HSPD-12, department and agency heads conduct\nbackground investigations, adjudicate the results, and issue identity credentials\nto their employees and contractors who require long-term access (i.e., more than\nsix months) to federally controlled facilities and/or information systems. 22 M-05-\n24 also specifically provides instructions for developing plans, completing\nbackground investigations, and issuing credentials to current employees, current\ncontractors, new employees, and new contractors.\n\nCurrent SEC Employees\nM-05-24 requires agencies to develop a plan and begin the required background\ninvestigations for current employees who did not have an initiated or successfully\nadjudicated investigation (i.e., a NACI or other OPM or National Security\ncommunity investigation) on record by October 27, 2005. In addition, M-05-24\n\n22\n  M-05-24, p. 2, http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2005/m05-24.pdf.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                 March 31, 2011\nReport No. 481\n                                                  7\n\x0crequires agencies to verify and/or complete background investigations for all\ncurrent employees, excluding those who have been employed by the federal\ngovernment over 15 years, by October 27, 2007. 23 Further, M-05-24\nImplementation Standard stated, \xe2\x80\x9cFor individuals who have been federal\ndepartment or agency employees over 15 years, a new investigation may be\ndelayed, commensurate with risk, but must be completed no later than October\n27, 2008.\xe2\x80\x9d 24\n\nPlan and Initiation of Background Investigations for Current Employees.\nDuring interviews with Personnel Security Branch staff, we were informed that\nthe Personnel Security Branch has developed an informal plan to conduct\nbackground investigations, adjudicate results, and issue credentials for\nemployees with less than 15 years of federal service, based on the number of\nstaff in each division or office. However, we found no formal documentation of\nthis plan and thus were unable to confirm if the SEC ever satisfied the\nrequirement that a plan be developed by October 27, 2005. We note that in a\nprevious inspection conducted by the OIG in March 2008 with respect to its audit\non Background Investigations, 25 we similarly found that \xe2\x80\x9cthe Office of Human\nResources [did] not have a formal plan of how it intend[ed] to meet this\nrequirement [to develop a plan by October 27, 2005]. Additionally, due to limited\nresources, OHR ha[d] not focused its efforts on meeting this requirement.\xe2\x80\x9d\nConsistent with our finding in the OIG\xe2\x80\x99s March 2008 Background Investigations\nreport, we found in this audit that background investigations were not begun for\nall current employees who did not have an initiated or completed investigation on\nrecord by the October 27, 2005 deadline, due to the lack of resources. Although\nwe were unable to confirm an exact date for when the required background\ninvestigations were actually initiated, the Personnel Security Branch informed us\nthat background investigations were completed for all current employees with\nless than 15 years of federal service in or about March or April of 2009.\n\nVerification and/or Completion of Background Investigations for All Current\nEmployees With Less Than 15 Years Federal Service. As described above,\nOIG found that the SEC did not verify and/or complete background investigations\nfor all current employees, excluding those who have been employed by the\nfederal government more than 15 years, until March or April of 2009 \xe2\x80\x94\napproximately a year and a half after the October 27, 2007, completion date\nrequired by M-05-24. 26 We were informed by the Personnel Security Branch that\nthe SEC did not meet this deadline due to a lack of resources.\n\n\n\n23\n   M-05-24, page 6, http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2005/m05-24.pdf\n24\n   M-05-24, page 6, http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2005/m05-24.pdf\n25\n   Background Investigations, Inspection Report No. 434, March 28, 2008. http://www.sec-\noig.gov/Reports/AuditsInspections/2008/434final.pdf.\n26\n   We were unable to confirm the exact date of completion. The Personnel Security Branch informed us that\nthe SEC verified and/or completed background investigations for all current employees, excluding those who\nhave been employed by the federal government over 15 years, around the March/April 2009 timeframe.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                     March 31, 2011\nReport No. 481\n                                                    8\n\x0cInvestigations for Employees With More Than 15 Years of Federal Service.\nAs of December 31, 2010, the SEC had not verified and/or completed\nbackground investigations for 1,263 27 employees who have more than 15 years\nof federal government service. As a result, the SEC did not meet the October 27,\n2008, deadline requirement set forth in M-05-24. Moreover, based on interviews\nwith Personnel Security Branch staff, we learned that the SEC has not developed\na formal, documented plan, commensurate with risk, to complete these\nbackground investigations. Although the Personnel Security Branch represented\nto us that the Branch has an informal plan, this informal plan (based upon the\nsize of divisions or offices) is not consistent with M-05-24, which requires that\noutstanding background investigations be conducted commensurate with risk.\nBy not conducting the outstanding background investigations commensurate with\nrisk, the agency has allowed employees to continue to occupy key agency\npositions without having a successfully adjudicated background investigation\nequivalent to or greater than a NACI. For example, based on the SEC Executive\nDirector\xe2\x80\x99s (ED) Notice of Personnel Action dated January 3, 2010, the ED\xe2\x80\x99s\nposition is classified as critical sensitive risk. However, the ED does not have a\nsuccessfully adjudicated background investigation completed that is equivalent to\nor greater than a NACI, which is the minimum background investigation level\nrequired. During the course of this audit, on or about December 14, 2010, a\nbackground investigation was initiated for the ED; however, the background\ninvestigation has not yet been completed.\n\nDuring an interview with the ED, we were informed that all remaining background\ninvestigations would be initiated in January 2011, and adjudications and the\nverification of background investigations for employees requiring investigations\nwould be completed by March 31, 2011. In the SEC\xe2\x80\x99s December 2010 quarterly\nHSPD-12 the Implementation Status Report to OMB, the SEC indicated that it\nwould complete adjudication and verification of background investigations for all\nemployees and contractors by March 2011. However, we were informed on\nFebruary 2, 2011, that the SEC had still not begun the background investigations\nfor 1,263 employees who have been employed by the federal government for\nover 15 years. The ED indicated that the delay in processing these\ninvestigations is due to workload demands. As previously mentioned, this is the\nsame justification provided for the prior delay in implementing HSPD-12 with\nrespect to employees with less than 15 years of federal service. The initiation,\nverification, and completion of background investigations for all current\nemployees with less than 15 years of federal service occurred during a period\nwhen the Personnel Security Branch employed only one adjudicator for\nbackground investigations for the entire agency. In 2008, the Personnel Security\nBranch increased the number of adjudicators from one to three. Further, the\nfederal government has been operating under a continuing resolution and hiring\nhas therefore been restricted; as a result, we believe that the Personnel Security\n\n27\n   This number represents the total number of employees with more than 15 years of federal service who\neither (1) had a background investigation completed more than 15 years ago that was at least equivalent to\na NACI; or (2) never had a background investigation that was at least equivalent to a NACI completed.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                     March 31, 2011\nReport No. 481\n                                                    9\n\x0cBranch has had adequate time to initiate and adjudicate background\ninvestigations for all employees who still require investigations.\n\nMoreover, the continuous delays related to the Personnel Security Branch\xe2\x80\x99s not\ninitiating background investigations for current employees with more than 15\nyears of federal service may likely result in further delays in the SEC\xe2\x80\x99s\nimplementation of HSPD-12. As a consequence, the SEC may have to report to\nOMB in its March 31, 2011, quarterly HSPD-12 Implementation Status Report yet\nanother new completion date.\n\nCurrent SEC Contractors\nM-05-24 required agencies to develop a plan and begin the required background\ninvestigations for all current contractors who did not have a successfully\nadjudicated investigation on record by October 27, 2005. 28 In addition, M-05-24\nprovided that the requirement should be phased in to coincide with the contract\nrenewal cycle, but no later than October 27, 2007. 29 In the SEC\xe2\x80\x99s quarterly\nHSPD-12 Implementation status report provided to OMB on December 31, 2010,\nthe SEC reported that 785 30 of approximately 1,427 contractors31 required PIV\ncredentials.\n\nBased on interviews with Personnel Security Branch staff, we understand that\nthe SEC has begun initiating required background investigations and adjudicating\nthose investigations for current contractors for whom they have received a\nrequest from the contractor\xe2\x80\x99s assigned Contracting Officer\xe2\x80\x99s Technical\nRepresentative (COTR) and the Inspection and Acceptance Officials (IOA).\nHowever, a formal documented plan has not been prepared for ensuring that\nbackground investigations are completed for all contractors employed by the\nSEC. While the Personnel Security Branch receives a consolidated, up-to-date\nlist of current SEC employees from the SEC\xe2\x80\x99s payroll system, it has not received\na consolidated, up-to-date list of all contractors who are employed by the SEC\nwho require long-term access to SEC-controlled facilities or SEC information\nsystems. Consequently, we found that the Personnel Security Branch is unable\nto accurately determine which contractors have a successfully adjudicated\nbackground investigation on record, unless it has been processed at the request\nof the COTR.\n\n\n\n28\n   M-05-24, p. 6, http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2005/m05-24.pdf.\n29\n   M-05-24, p. 6, http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2005/m05-24.pdf.\n30\n   This number represented the \xe2\x80\x9c\xe2\x80\x9cNumber of Contractors requiring PIV credentials\xe2\x80\x9d as reported by the SEC\nto OMB on December 2010 in its HSPD 12 Implementation Status Report,\nhttp://www.sec.gov/about/piv_report_for_omb.pdf.\n31\n   The total number of contractors was calculated using data provided in the SEC\xe2\x80\x99s December 31, 2010,\nquarterly HSPD-12 Implementation Status Report. The total number of contractors (1,427) is the sum of the\n\xe2\x80\x9cNumber of Contractors requiring PIV credentials\xe2\x80\x9d (785) and \xe2\x80\x9cTotal Number of PIV Credentials Issued to\nContractors\xe2\x80\x9d (642); however, Personnel Security Branch staff acknowledge that they were unsure of the\nactual total number of SEC contractors.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                     March 31, 2011\nReport No. 481\n                                                   10\n\x0cWe contacted the OAS Office of Acquisitions (OA) to obtain an up-to-date list of\nall current contractors. The contractor list OA provided was incomplete and\noutdated. Through interviews with OA staff, we learned that OA has attempted to\nmaintain a complete list of contractor personnel, but has not been successful due\nto lack of coordination between OA and COTRs regarding when a contractor is\nstill employed at the SEC or has been separated. 32 Consequently, the Personnel\nSecurity Branch has been unable to determine the total number of contractors\nwho require background investigations that meet the minimum requirements of\nHSPD-12.\n\nAs a result of not being able to determine the actual number of contractors who\nare employed by the SEC, we were unable to verify whether the SEC has\naccurately reported to OMB its HSPD-12 implementation status as it relates to\ncontractors. In fact, the Personnel Security Branch indicated that in the SEC\xe2\x80\x99s\nmost recent submission to OMB, the information provided was only to the best of\nthe Personnel Security Branch\xe2\x80\x99s knowledge because the office does not know\nwith certainty how many contractors have departed the SEC at any given time.\nTherefore, it is possible that the SEC may have inaccurately reported its statistics\nrelated to contractors in its December 31, 2010, quarterly HSPD-12\nImplementation Status Report. Further, without an accurate and complete record\nof all contractors employed by the SEC, the Commission may be unable to meet\nthe HSPD-12 implementation status dates that it provided to OMB on December\n31, 2010, to complete the adjudications and verification of background\ninvestigations for all contractors by March 2011 and issuance of PIV credentials\nto all contractors by June 2011.\n\nFurther, we found that the SEC has not developed a plan, commensurate with\nrisk, or begun required background investigations for all current contractors who\ndo not have a successfully adjudicated investigation on record.\n\nNew SEC Employees and Contractors\nM-05-24 requires that agencies adopt and accredit a registration process and\ninitiate a NACI or equivalent investigation for all new employees and contractors\nby October 27, 2005. 33 As reported to OMB, the SEC only began issuing PIV\ncredentials to all new employees and contractors as part of the onboarding\nprocess in April 2010 and has failed to meet the NACI October 27, 2005,\ndeadline. According to the Personnel Security Branch, the SEC did not meet this\ndeadline due to lack of resources.\n\nWe were informed that the Personnel Security Branch has hired two additional\nadjudicators since 2008, which increased the number of adjudicators to three. In\naddition, as noted above, we found that as of April 2010, the SEC had adopted a\n\n32\n   We have been informed that in the future, the list of current contractors will not be maintained by OA but\ninstead by the OAS Physical Security Branch.\n33\n   M-05-24, p. 5, http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2005/m05-24.pdf.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                          March 31, 2011\nReport No. 481\n                                                     11\n\x0cregistration process for all identity credentials issued to new SEC employees and\ncontractors who require long-term access to SEC-controlled facilities or\ninformation systems. In addition, we found that the SEC has initiated a process\nfor conducting a NACI or equivalent investigation prior to credential issuance.\n\nBenchmarking\nWe compared the SEC\xe2\x80\x99s December 2010 quarterly HSPD-12 Implementation\nStatus Report with reports of (1) other federal financial agencies and (2)\nagencies of similar size. We determined that the SEC lags behind other\nagencies with similar missions (i.e., financial regulators) and/or with\napproximately the same number of employees and contractors with completed\nNACIs. We examined the HSPD-12 implementation status of four financial\nagencies, including the SEC. These agencies were selected because they did\nnot have any errors in their reporting, OMB indicated that their data quality was\nconsidered \xe2\x80\x9cacceptable,\xe2\x80\x9d and the date of their status report was equivalent to the\ndate of SEC\xe2\x80\x99s status report. The financial agencies selected for our comparison\nwere the Farm Credit Administration, the Department of the Treasury, and the\nBoard of Governors of the Federal Reserve System (Federal Reserve Board).\nSee Table 2 below.\n\n  Table 2: Comparison of SEC to Other Federal Financial Agencies\n                                                     Percentage of\n                                    Date of                            Percentage of\n                                                    Employees and\n                                    Status                            Employees and\n       Name of Agency                                 Contractors\n                                    Report                           Contractors with\n                                                    with Completed\n                                     Used                            Issued PIV Cards\n                                                         NACIs\n   Securities and Exchange       09/30/2010               82%              61%\n   Commission\n   Farm Credit Administration    09/30/2010               99%              95%\n   Department of the Treasury    09/30/2010               99%              90%\n   Federal Reserve Board         09/30/2010               95%              92%\n  Source: Generated by OIG.\n\nIn addition, the OIG examined two additional federal agencies that are similar in\nsize to the SEC (based on the total number of employees requiring PIV\ncredentials reported to OMB) by reviewing their HSPD-12 Implementation Status\nReports submitted to OMB as of September 30, 2010. The agencies selected\nwere the Department of Education and the Nuclear Regulatory Commission.\nSee Table 3 below.\n\n\n\n\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                      March 31, 2011\nReport No. 481\n                                               12\n\x0c Table 3: Comparison of SEC to Other Similarly Sized Federal Departments\n or Agencies\n                                      Number of                            Percentage of\n                                                           Percentage of\n                     Date of        Employees and                           Employees\n                                                          Employees and\n    Name of          Status         Contractors to                              and\n                                                            Contractors\n    Agency           Report           Receive PIV                           Contractors\n                                                          with Completed\n                      Used           Cards (Q4, FY                          with Issued\n                                                               NACIs\n                                         2010)                               PIV Cards\n Securities and    09/30/2010             4,971                82%             61%\n Exchange\n Commission\n Department of     09/30/2010             4,243                99%             99%\n Education\n Nuclear           09/30/2010             5,567               100%             100%\n Regulatory\n Commission\nSource: Generated by OIG.\n\nAs Tables 2 and 3 illustrate, as of September 30, 2010, the SEC reported that\nonly 61 percent of its employees and contractors had been issued PIV cards,\nwhile its counterparts reported that they had issued PIV cards to over 90 percent\nof their employees and contractors. Also, as Tables 2 and 3 show, not only has\nthe SEC failed to meet the requirements of HSPD-12, but it also lags well behind\nother federal financial agencies and similarly sized federal agencies or\ndepartments in implementing HSPD-12, specifically as it relates to the\npercentage of employees and contractors who have been issued PIV cards.\n\nSummary\nThe SEC did not comply with the HSPD-12 requirements and deadlines for\ncurrent employees and contractors or for new employees and contractors.\nSpecifically, we found that SEC did not achieve any of the agency action\ndeadlines specified in M-05-24. In particular, we found that the SEC did not\ndevelop a formal plan or verify and complete background investigations for all\ncurrent employees with less than 15 years of federal service prior to the October\n27, 2007, deadline. Additionally, we found that the SEC has not completed\nbackground investigations for all employees who have more than 15 years of\nfederal service and thus did not meet the October 27, 2008, deadline. We also\nfound that the informal plan developed by the Personnel Security Branch to\nimplement HSPD-12 is not commensurate with risk, but rather was developed\nbased on the population of divisions and offices with employees requiring\nbackground investigations.\n\nWe further determined that the SEC does not have a complete, up-to-date list of\nall contractors who are employed by the SEC. Furthermore, we were unable to\nverify that the SEC is accurately reporting its HSPD-12 implementation status to\nOMB as it pertains to contractors due to the lack of a complete and consolidated\nlist of contractors. Also, we found that the SEC has not developed a plan or\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                       March 31, 2011\nReport No. 481\n                                               13\n\x0cadjudicated background investigations for all current contractors. In addition, we\nfound that the SEC significantly delayed issuing PIV credentials as required to\nnew employees and contractors, due to a claimed lack of resources.\n\nAs a result of the continuous delays resulting from Personnel Security Branch\xe2\x80\x99s\nnot initiating new background investigations for current employees who have\nbeen employed by the federal government for more than 15 years, it is likely that\nthe SEC will have to further delay its implementation of HSPD-12 and will have to\nreport a new estimated completion date to OMB in its March 31, 2011, quarterly\nHSPD-12 Implementation Status Report. In addition, by not developing and\nissuing an adequate implementation plan for the completion of background\ninvestigations for current employees and contractors who still require background\ninvestigations, as required by M-05-24, the SEC may not be able to meet the\nMarch 2011 date for completion of adjudications and verification of background\ninvestigations for all current contractors and employees or issue PIV credentials\nto all contractors and employees by June 2011.\n\nFurther, due to the lack of tracking of contractors\xe2\x80\x99 employment status, the SEC\ncannot ensure that the PIV credential statistics reported to OMB related to\ncontractors are reliable and accurate. In addition, the SEC is not realizing the full\nbenefits of the PIV credentials due to the lack of full implementation. By not fully\nimplementing PIV credentials for physical and logical access, the SEC is unable\nto realize the significant benefits of the PIV credentials, such as greater security\nby virtue of enhanced authentication, increased government efficiency because\nall federal employees have the same identification cards, reduced identity fraud\nbecause the cards are assigned a personal identification number (PIN) for each\nemployee associated with the card, and protection of personal privacy resulting\nfrom encryption of the personal data contained in the cards.\n\n    Recommendation 1:\n\n    The Office of Human Resources should immediately prepare formal,\n    documented plans for initiating background investigations for all current\n    employees who do not have successfully adjudicated background\n    investigations on record, commensurate with risk.\n\n    Management Comments. OHR concurred with this recommendation. See\n    Appendix VI for management\xe2\x80\x99s full comments.\n\n    OIG Analysis. We are pleased that OHR concurred with this\n    recommendation.\n\n\n\n\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                 March 31, 2011\nReport No. 481\n                                               14\n\x0c    Recommendation 2:\n\n    The Office of Human Resources should immediately, but no later than 90\n    days after the issuance of this report, initiate background investigations for all\n    current employees who do not have successfully adjudicated investigations\n    on record, commensurate with risk.\n\n    Management Comments. OHR concurred with this recommendation. See\n    Appendix VI for management\xe2\x80\x99s full comments.\n\n    OIG Analysis. We are pleased that OHR concurred with this\n    recommendation.\n\n    Recommendation 3:\n\n    The Office of Administrative Services should identify and develop a\n    consolidated list of all contractors who are employed by the Commission. In\n    addition, the Office of Administrative Services should coordinate with the\n    Contracting Officer\xe2\x80\x99s Technical Representatives and Inspection and\n    Acceptance Officials to implement policies and procedures for ensuring that\n    the list remains up to date.\n\n    Management Comments. OAS concurred with this recommendation. See\n    Appendix VI for management\xe2\x80\x99s full comments.\n\n    OIG Analysis. We are pleased that OAS concurred with this\n    recommendation.\n\n    Recommendation 4:\n\n    The Office of Administrative Services should provide the Office of Human\n    Resources Personnel Security Branch with a copy of the up-to-date\n    consolidated contractor list on a weekly basis.\n\n    Management Comments. OAS concurred with the recommendation. See\n    Appendix VI for management\xe2\x80\x99s full comments.\n\n    OIG Analysis. We are pleased that OAS concurred with this\n    recommendation.\n\n\n\n\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                   March 31, 2011\nReport No. 481\n                                               15\n\x0c    Recommendation 5:\n\n    Upon receipt of the up-to-date consolidated contractor list, the Office of\n    Human Resources Personnel Security Branch should determine which\n    contractors do not have successfully adjudicated background investigations\n    on record and develop a plan to begin the required background investigations\n    immediately.\n\n    Management Comments. OHR concurred with the recommendation. See\n    Appendix VI for management\xe2\x80\x99s full comments.\n\n    OIG Analysis. We are pleased that OHR concurred with this\n    recommendation.\n\n    Recommendation 6:\n\n    Upon receipt of the up-to-date consolidated contractor list, the Office of\n    Human Resources should ensure that accurate status reporting has been\n    made to the Office of Management and Budget.\n\n    Management Comments. OHR concurred with the recommendation. See\n    Appendix VI for management\xe2\x80\x99s full comments.\n\n    OIG Analysis. We are pleased that OHR concurred with this\n    recommendation.\n\n\n\n\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12               March 31, 2011\nReport No. 481\n                                               16\n\x0cFinding 2: The SEC Does Not Have the\nAuthority to Determine Eligibility of a Person\nfor Access to Classified Information\n         Since June 30, 2008, the SEC has adjudicated and\n         determined the eligibility of 26 employees and contractors to\n         access classified information without receipt of delegated\n         authority from the Director of National Intelligence (DNI). We\n         found that these determinations were based on incorrect\n         policies and procedures and as a result found that the\n         determinations for access to classified information that were\n         made by the Office of Executive Director (OED) may not\n         meet the minimum requirements of the adjudicative\n         guidelines set forth by DNI.\n\nOn January 27, 1986, the SEC Chairman\xe2\x80\x99s Office transferred authority over the\npersonnel security function to the OED and designated the ED as the\nCommission\xe2\x80\x99s Personnel Security Officer and the Director of Personnel (i.e., the\nAssociate Executive Director for Human Resources) as the Assistant Personnel\nSecurity Officer. The transfer of this authority made the ED responsible for the\noverall management of the SEC\xe2\x80\x99s background investigation program and OHR\nresponsible for administering the program on behalf of the agency. Since this\ndelegation, the OED has retained responsibility for adjudicating the background\ninvestigations of employees and contractors who require access to classified\ninformation and assigned OHR\xe2\x80\x99s Personnel Security Branch responsibility for\nconducting suitability determinations for employees, contractors, and persons\nrequiring temporary access.\n\nOn June 30, 2008, President George W. Bush signed Executive Order 13467,\nReforming Processes Related to Suitability for Government Employment, Fitness\nfor Contractor Employees, and Eligibility for Access to Classified National\nSecurity Information, 34 which designated the DNI as \xe2\x80\x9cthe Security Executive\nAgent.\xe2\x80\x9d According to Executive Order 13467, the DNI, among other things, is\n\xe2\x80\x9cresponsible for developing uniform and consistent policies and procedures to\nensure the effective, efficient, and timely completion of investigations and\nadjudications relating to determinations of eligibility for access to classified\ninformation or eligibility to hold a sensitive position\xe2\x80\x9d; serves as the final authority\nto designate an agency to determine eligibility for access to classified information\nin accordance with Executive Order 12968 of August 4, 1995; 35 and ensures\n34\n   Executive Order 13467, Reforming Processes Related to Suitability for Government Employment, Fitness\nfor Contractor Employees, and Eligibility for Access to Classified National Security Information, June 30,\n2008, http://www.fas.org/irp/offdocs/eo/eo-13467.htm.\n35\n   Executive Order 12968, Access to Classified Information, August 4, 1995,\nhttp://www.fas.org/sgp/clinton/eo12968.html. Executive Order 12968 order establishes a uniform federal\npersonnel security program for employees who will be considered for initial or continued access to classified\ninformation.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                        March 31, 2011\nReport No. 481\n                                                    17\n\x0creciprocal recognition of eligibility for access to classified information among the\nagencies.\n\nConsistent with Executive Order 13467, on October 1, 2008, the DNI issued\nIntelligence Community Directive (ICD) Number 704, Personnel Security\nStandards and Procedures Governing Eligibility for Access to Sensitive\nCompartmented Information and other Controlled Access Program Information. 36\nThis directive, among other things, requires the application of uniform personnel\nsecurity standards and procedures to facilitate effective initial vetting, continuing\npersonnel security evaluation, and reciprocity throughout the intelligence\ncommunity.\n\nWe contacted the DNI on January 5, 2011, to determine if the DNI had provided\nthe SEC with the designated authority to determine eligibility for access to\nclassified information. A Chief Assessment Officer at the DNI stated that based\non a review of DNI records, the SEC had not received authority to make eligibility\ndeterminations for access to classified information.\n\nWe found that although the SEC has received authority from OPM to make\nsuitability determinations, 37 the SEC has not received the authority from the DNI\nto make eligibility determinations for access to classified information or the\nholding of a sensitive position. We found that notwithstanding this lack of\nauthority, the SEC has made eligibility determinations for access to classified\ninformation and submitted to OPM adjudication actions for 26 employees and\ncontractors for access to classified information. In addition, we found that the\nOED is using materials38 obtained from training sessions that OED personnel\nhave attended to make eligibility determinations for access to classified\ninformation or the holding of sensitive positions, rather than the policies and\nprocedures issued by the DNI, which include ICD 704. 39 As a result, the OED\nmay have made determinations that particular employees or contractors should\nreceive access to classified information when, in fact, had the OED used the\n\n36\n   Intelligence Community Directive, Number 704, Personnel Security Standards and Procedures Governing\nEligibility for Access to Sensitive Compartmented Information and Other Controlled Access Program\nInformation, effective October 1, 2008, http://www.fas.org/irp/dni/icd/icd-704.pdf.\n37\n   See 5 C.F.R. \xc2\xa7 731.103 \xe2\x80\x93 Delegation to agencies,http://ecfr.gpoaccess.gov/cgi/t/text/text-\nidx?c=ecfr&sid=eff878f50f31e1d9d9fe7f90c34674ee&rgn=div5&view=text&node=5:2.0.1.1.7&idno=5, which\nstates, \xe2\x80\x9c(a) Subject to the limitations and requirements of paragraphs (f) and (g) of this section, OPM\ndelegates to the heads of agencies authority for making suitability determinations and taking suitability\nactions (including limited, agency-specific debarments under \xc2\xa7731.205) in cases involving applicants for and\nappointees to covered positions in the agency.\xe2\x80\x9d\n38\n   The training materials used by OED personnel to make eligibility determinations to access classified\ninformation were Revised Adjudicative Guidelines for Determining Eligibility for Access to Classified\nInformation, issued by the White House, on December 29, 2005; in a memorandum for William Leonard,\nDirector of Information Security Oversight Office, Subject: Adjudicative Guidelines, Signed by Stephen J.\nHadley, Assistant to the President for National Security Affairs; and Investigative Standards for Background\nInvestigations for Access to Classified Information, updated December 2004.\n39\n   While we found that there were similarities between the training materials used by the OED for making\neligibility determinations to access classified information and the appropriate eligibility standards outlined in\nDNI\xe2\x80\x99s ICD 704, there were also several differences and certain requirements in ICD 704 that were not in the\ntraining materials utilized by the OED.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                           March 31, 2011\nReport No. 481\n                                                      18\n\x0cuniform policies and procedures developed by the DNI, these determinations\nmay have not been favorable, based on the DNI\xe2\x80\x99s guidelines. Additionally, if any\nof the 26 employees or contractors were to transfer to another federal\ndepartment or agency, they could potentially be granted reciprocity when, in fact,\nthey might not have properly received a favorable determination.\n\nWe contacted the SEC Chairman\xe2\x80\x99s Correspondence Office 40 to determine if the\nSEC had received notice of Executive Order 13467 from the White House and if,\nupon receipt, the Chairman\xe2\x80\x99s Correspondence Office provided the OED with a\ncopy of the Executive Order and required the OED to take action to implement it.\nThe Chairman\xe2\x80\x99s Correspondence Office indicated that it did not have a record of\nreceiving a copy of Executive Order 13467 (which the Correspondence Office\nindicated was unusual), but that if it had received the Executive Order, it would\nhave referred the Executive Order to the OED for action. We were informed by\nOED staff that they were aware of the issuance of Executive Order 13467;\nhowever, they were unaware of any actions that were required on their part.\n\nIn summary, we determined that the SEC has acted outside of its authority in\nmaking determinations of eligibility for access to classified information. Further,\nwe found that the 26 determinations of eligibility for access to classified\ninformation made between June 2008 and December 2010 were not based on\nthe uniform policies and procedures developed by the DNI. Further, we found\nthat the determinations of eligibility for access to classified information that were\nmade by the OED might receive improper reciprocal recognition by other\nagencies, which could result in persons receiving access to classified information\nwhen, in fact, they should not have been granted eligibility to receive such\naccess.\n\n     Recommendation 7:\n\n     The Office of Executive Director should discontinue adjudicating all eligibility\n     determinations for access to classified information or holding a sensitive\n     position until the Securities and Exchange Commission has received an\n     appropriate delegation of authority to conduct such determinations from the\n     Director of National Intelligence.\n\n     Management Comments. OED concurred with the recommendation. See\n     Appendix VI for management\xe2\x80\x99s full comments.\n\n     OIG Analysis. We are pleased that OED concurred with this\n     recommendation.\n\n\n\n\n40\n  We contacted the Chairman\xe2\x80\x99s Correspondence Office on February 17, 2011, and February 23, 2011.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                               March 31, 2011\nReport No. 481\n                                                19\n\x0c     Recommendation 8:\n\n     The Office of Executive Director should identify all eligibility determinations for\n     access to classified information or holding a sensitive position adjudicated by\n     the Securities and Exchange Commission since June 30, 2008 and, upon\n     receipt of authority from the Director of National Intelligence, conduct a quality\n     control assessment to ensure that the determinations were conducted in\n     accordance with the uniform policies and procedures developed by the\n     Director of National Intelligence.\n\n     Management Comments. OED concurred with the recommendation.\n     See Appendix VI for management\xe2\x80\x99s full comments.\n\n     OIG Analysis. We are pleased OED concurred with this\n     recommendation.\n\n     Recommendation 9:\n\n     The Office of Executive Director, upon receipt of authority from the\n     Director of National Intelligence to make eligibility determinations for\n     access to classified information or holding a sensitive position, should\n     use the uniform policies and procedures developed by the Director of\n     National Intelligence when making such determinations.\n\n     Management Comments. OED concurred with the recommendation.\n     See Appendix VI for management\xe2\x80\x99s full comments.\n\n     OIG Analysis. We are pleased OED concurred with this\n     recommendation.\n\n\nFinding 3: OAS\xe2\x80\x99s Physical Security Branch Is\nMaking Eligibility Determinations for Applicants\nSeeking Temporary Access to SEC Facilities\nWithout the Proper Authority\n        OAS\xe2\x80\x99s Physical Security Branch is making eligibility\n        determinations for applicants seeking temporary access 41 to\n        SEC facilities without the proper authority. Additionally, the\n        Physical Security Branch is not using the appropriate\n        standards for making these determinations. As a result,\n\n\n41\n  Temporary access is defined as access to SEC facilities or logical access to SEC information systems for\na period of more than one day but less than six months.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                     March 31, 2011\nReport No. 481\n                                                   20\n\x0c         applicants may unjustly be denied access to SEC facilities\n         without the right to appeal.\n\nAccording to 5 C.F.R. \xc2\xa7 731.103, \xe2\x80\x9cOPM delegates to the heads of agencies\nauthority for making suitability determinations and taking suitability actions . . .\n.\xe2\x80\x9d 42 As noted above, on January 27, 1986, the Chairman\xe2\x80\x99s Office transferred\nauthority for the personnel security function to the OED and designated the ED\nas the Commission\xe2\x80\x99s Personnel Security Officer and the Director of Personnel\n(i.e., the Associate Executive Director for Human Resources) as the Assistant\nPersonnel Security Officer. The transfer of this authority made the ED\nresponsible for the overall management of the SEC\xe2\x80\x99s background investigation\nprogram and OHR\xe2\x80\x99s Personnel Security Branch responsible for administering the\nprogram on behalf of the agency. Similarly, the OHR intranet site states, \xe2\x80\x9cThe\nOffice of the Executive Director (OED) is responsible for overall management of\nthe SEC\xe2\x80\x99s background investigation program, and OHR is responsible for\nadministering the program.\xe2\x80\x9d43\n\nExecutive Order 13467 defines \xe2\x80\x9cadjudication\xe2\x80\x9d as \xe2\x80\x9cthe evaluation of pertinent data\nin a background investigation, as well as any other available information that is\nrelevant and reliable, to determine whether a covered individual is: (i) suitable for\nGovernment employment; (ii) eligible for logical and physical access; (iii) eligible\nfor access to classified information; (iv) eligible to hold a sensitive position; or (v)\nfit to perform work for or on behalf of the Government as a contractor\nemployee.\xe2\x80\x9d 44\n\nIn the Federal Managers\xe2\x80\x99 Financial Integrity Act Assurance Statement submitted\nby OAS to the SEC Chairman on September 15, 2010, OAS stated, \xe2\x80\x9cWe installed\nelectronic fingerprinting equipment to enhance the process of performing criminal\nand background checks on employees, contractors, and intermittent vendors who\nneed access to SEC facilities.\xe2\x80\x9d 45\n\nDuring this audit, we found that the Physical Security Branch staff conduct risk\nassessments of contractors who require unescorted temporary access (i.e., for\nperiods of less than six months) to SEC facilities based on fingerprint results that\nare received from the FBI, using an electronic fingerprint verification system\ncalled the Civilian Applicant System (CAS). We also learned that the Physical\nSecurity Branch staff use the CAS to collect fingerprints from temporary\ncontractors who are seeking unescorted access (e.g., construction staff) and\nthese fingerprints are then sent through the CAS system to the FBI. Within 24\n\n42\n   5 CFR \xc2\xa7 731.103, Delegation to agencies.\n43\n   http://insider.sec.gov/human_resources/hiring_staffing/background-security-clearances.html.\n44\n   Executive Order 13467, Reforming Processes Related to Suitability for Government Employment, Fitness\nfor Contractor Employees, and Eligibility for Access to Classified National Security Information, June 30,\n2008, http://www.fas.org/irp/offdocs/eo/eo-13467.htm.\n45\n   Memorandum to SEC Chairman Mary Schapiro from Sharon Sheehan, Associate Executive Director,\nOffice of Administrative Services, Subject: Federal Managers\xe2\x80\x99 Financial Integrity Act Assurance Statement;\nSeptember 15, 2010, p. 6.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                        March 31, 2011\nReport No. 481\n                                                    21\n\x0chours, the FBI provides the Physical Security Branch with fingerprint results\nindicating if the applicant has a criminal record and, if so, the types of crimes the\napplicant has committed. Once the results are received in the CAS system, the\nPhysical Security Branch staff review the results and conduct a risk assessment\nto determine whether the temporary contractor is an acceptable risk and can\nwork within the SEC\xe2\x80\x99s facilities. If a favorable risk determination is made by\nPhysical Security Branch personnel, an on-site business badge is issued to the\ntemporary contractor. However, we found that the Physical Security Branch\ndoes not have formal, documented procedures for its risk assessment process or\nfor the criteria it uses to determine the suitability of applicants.\n\nAlthough we were informed in an interview that the Physical Security Branch\ndoes not \xe2\x80\x9cperform OHR adjudications,\xe2\x80\x9d the Physical Security Branch\nacknowledged that it conducts \xe2\x80\x9ca risk assessment of the candidates to determine\nif the candidate poses a risk to the SEC staff or facilities.\xe2\x80\x9d In interviews, the\nPhysical Security Branch staff represented the following: \xe2\x80\x9cWe (Physical Security\nBranch) determine whether or not the person is a risk to other SEC employees.\xe2\x80\x9d\nMoreover, it is clear from the results of our audit that the Physical Security\nBranch is evaluating pertinent, relevant, and reliable data received from the FBI\nto determine whether a covered individual is fit to perform work for or on behalf of\nthe government as a contractor employee. In conducting such evaluations, the\nPhysical Security Branch is relying upon results from the FBI to determine if the\nperson is of \xe2\x80\x9cacceptable risk\xe2\x80\x9d to perform work for or on behalf of the government.\nThus, the Physical Security Branch is engaged in evaluating an individual\xe2\x80\x99s\nbackground data to determine eligibility for physical access to agency facilities\nand, therefore, is essentially performing an adjudication as that term is defined in\nExecutive Order 13467.\n\nThe Physical Security Branch has no written policies and procedures for\nconducting its risk assessments and is not adhering to the OHR guidelines46 for\nadjudications, which require uniformity in suitability case processes and\nadjudication. In addition, these guidelines assist in adjudicating cases using\nsound judgment, objectivity, and careful analysis, while ensuring that the\nprocedures used and the results of the determination are consistent and not\narbitrary.\n\nMoreover, we were informed by the Physical Security Branch that the fingerprint\nand risk assessment results are not communicated to the Personnel Security\nBranch, even though the Personnel Security Branch is responsible for making\nsuitability determinations and for maintaining the repository of records that are\nused in determining the eligibility of employees or contractors to access SEC\nfacilities. We confirmed during interviews with Personnel Security Branch staff\nthat the results of the Physical Security Branch\xe2\x80\x99s risk assessments are not\nprovided to the Personnel Security Branch.\n\n46\n  OHR uses the Office of Personnel Management, Federal Investigative Services Division, Suitability\nProcessing Handbook, September 2008, as guidelines for its suitability/background investigations program.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                    March 31, 2011\nReport No. 481\n                                                  22\n\x0cAccordingly, we found that the Physical Security Branch has been determining\nthe eligibility of individuals for temporary access to SEC facilities without the\nauthority to do and has not followed the appropriate standards in making these\ndeterminations. Consequently, the Physical Security Branch may have provided\napplicants access to SEC facilities where such access would have been denied\nhad the case been adjudicated under the OHR guidelines. Alternatively, the\nPhysical Security Branch may have unjustly denied persons access to SEC\nfacilities, and those individuals would not have any right of appeal.\n\n    Recommendation 10:\n\n    The Office of Administrative Services should immediately discontinue making\n    eligibility determinations without proper authorization for persons requiring\n    temporary access to Securities and Exchange Commission facilities or\n    information systems.\n\n    Management Comments. OAS concurred with the recommendation. See\n    Appendix VI for management\xe2\x80\x99s full comments.\n\n    OIG Analysis. We are pleased OAS concurred with this recommendation.\n\n    Recommendation 11:\n\n    The Office of Administrative Service should immediately provide the Office of\n    Human Resources Personnel Security Branch with a list of all persons who\n    have been provided or denied access based on the Physical Security\n    Branch\xe2\x80\x99s risk assessments, as well as a copy of all fingerprint records,\n    supporting documentation, and the results of the risk assessments.\n\n    Management Comments. OAS concurred with the recommendation. See\n    Appendix VI for management\xe2\x80\x99s full comments.\n\n    OIG Analysis. We are pleased that OAS concurred with this\n    recommendation.\n\n    Recommendation 12:\n\n    The Office of Human Resources, in coordination with the Office of\n    Administrative Services, should develop policies and procedures for\n    determining the eligibility of contractors and visitors and guests requiring\n    temporary access to Securities and Exchange Commission facilities or\n    information systems.\n\n    Management Comments. OHR concurred with the recommendation. See\n    Appendix VI for management\xe2\x80\x99s full comments.\n\n\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                  March 31, 2011\nReport No. 481\n                                               23\n\x0c     OIG Analysis. We are pleased that OHR concurred with this\n     recommendation.\n\n\nFinding 4: PIV Cards Are Not Consistently\nEnrolled in the SEC\xe2\x80\x99s Physical Access Control\nSystem and Badge Requirements for Physical\nAccess to SEC Facilities Have Not Been\nCommunicated to All Employees and Contractors\n        The SEC\xe2\x80\x99s regional offices have not consistently enrolled\n        PIV badges into the SEC\xe2\x80\x99s physical access control system.\n        In addition, OAS has not communicated badging\n        requirements for physical access to employees and\n        contractors. As a result, the SEC has not met HSPD-12\xe2\x80\x99s\n        requirement to use PIV cards for gaining physical access to\n        SEC-controlled facilities and information systems.\n\nHSPD-12 states, \xe2\x80\x9cAs promptly as possible, but in no case later than eight months\nafter the date of promulgation of the Standard, the heads of executive\ndepartments and agencies shall, to the maximum extent practicable, require the\nuse of identification by federal employees and contractors that meets the\nStandard in gaining physical access to federally controlled facilities and logical\naccess to federally controlled information systems.\xe2\x80\x9d47\n\nAdditionally, NIST, Special Publication 800-116, A Recommendation for the Use\nof PIV Credentials in Physical Access Control Systems (PACS), states, \xe2\x80\x9cHSPD-\n12 mandates the establishment of a government-wide standard for identity\ncredentials to improve physical security in federally controlled facilities.\xe2\x80\x9d 48 It\nfurther notes, \xe2\x80\x9cHSPD-12 explicitly requires the use of PIV Cards \xe2\x80\x98in gaining\nphysical access to federally controlled facilities and logical access to federally\ncontrolled information systems.\xe2\x80\x9d 49\n\nEmployees and contractors working at the SEC\xe2\x80\x99s headquarters and the\nOperations Center receive their PIV badges from a GSA registrar who is located\nin the SEC\xe2\x80\x99s badging office at headquarters. At the time an employee or\ncontractor receives his or her badge from the GSA registrar, the employee or\ncontractor is enrolled into the SEC\xe2\x80\x99s physical access control system, known as\n\n47\n   HSPD-12, http://csrc.nist.gov/drivers/documents/Presidential-Directive-Hspd-12.html.\n48\n   National Institute of Standards and Technology (NIST), Special Publication 800-116, A Recommendation\nfor the Use of PIV Credentials in Physical Access Control Systems (PACS), November 2008, p. 4 [footnote\nomitted], http://csrc.nist.gov/publications/nistpubs/800-116/SP800-116.pdf.\n49\n   NIST Special Publication 800-116, page 4, http://csrc.nist.gov/publications/nistpubs/800-116/SP800-\n116.pdf.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                       March 31, 2011\nReport No. 481\n                                                    24\n\x0cthe Diebold Hirsh system. However, in the regional offices, employees and\ncontractors receive their PIV badges (also referred to as credentials and HSPD-\n12 badges) at a GSA Managed Service Office (MSO), which is normally located\noff site. After receiving their PIV badges, these employees and contractors must\nreturn to their assigned regional office and inform their administrative officer (or\nother designated person) that they are in possession of the PIV badge in order\nfor it to be enrolled into the SEC\xe2\x80\x99s physical access control system and/or a\nbuilding-owned, proprietary physical access control system.\n\nAs part of our fieldwork, we conducted a survey of the SECs 11 regional offices 50\nto determine if employees and contractors who have been issued HSPD-12\nbadges have had them enrolled into the SEC\xe2\x80\x99s physical access control system.\nAll 11 regional offices responded to the survey and indicated that a physical\naccess control system, either the Diebold Hirsh system or a building-owned\nproprietary system, is used to access the SEC\xe2\x80\x99s office space at the regional\noffices. However, based on the survey, as answered by the administrative\nofficers in the regional offices, only 37 percent of the regional offices responded\nthat employee badges are enrolled into the physical access system and only 46\npercent responded that contractor badges are enrolled into the physical access\ncontrol system. In fact, only 2 of the 11 regional offices that responded on this\nissue indicated that they have been notified by an SEC employee when an\nHSPD-12 badge has been issued to the employee, and only 1 of the 11 regional\noffices indicated that it either received an e-mail or phone call from the Personnel\nSecurity Branch notifying it of the issuance of an HSPD-12 badge. The\nremaining 7 regional offices responding on this issue stated that they are not\nnotified when an employee has been issued an HSPD-12 badge.\n\nOAS has informed us that it was unaware of any official guidance issued to\nagency staff or the regional offices requiring enrollment of PIV credentials into\nthe SEC\xe2\x80\x99s physical access control system and further stated that the PIV\ncredentials would be the primary physical access badge used by SEC employees\nand contractors. In addition, the Physical Security Branch advised us that\nenrollment of the PIV badge and SEC badges into the physical access control\nsystem is done locally at the regional offices and that the regional offices\xe2\x80\x99\nadministrative officers, not headquarters, are responsible for enrolling the HSPD-\n12 badges into the physical access control system. However, the OIG survey\nfound that the administrative officers at the regional offices are not requiring the\nenrollment of PIV credentials into the SEC\xe2\x80\x99s physical access control system.\n\nAdditionally, we found that on October 2, 2006, OAS distributed a newsletter to\nDivision/Office Heads; Regional Directors/District Administrators, administrative\nofficers, and Budget Analysts that provided information regarding HSPD-12 and\nchanges to the SEC\xe2\x80\x99s physical access control system that would take place to\nsupport the new PIV cards. However, the newsletter did not indicate that OAS\n\n50\n  The SEC\xe2\x80\x99s 11 regional offices include are Atlanta, Boston, Chicago, Denver, Fort Worth, Los Angeles,\nMiami, New York, Philadelphia, Salt Lake City, and San Francisco.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                    March 31, 2011\nReport No. 481\n                                                  25\n\x0cexpected that the PIV credential would be the primary badge used by SEC\nemployees and contractors.\n\nWe found that OAS\xe2\x80\x99s lack of guidance or communication of its expectations to\nregional offices\xe2\x80\x99 administrative officers (or other designated staff) regarding the\nenrollment of PIV badges in the SEC\xe2\x80\x99s physical access control system located\nwithin their specific regional office has resulted in the failure of administrative\nofficers to understand management\xe2\x80\x99s expectations for enrolling PIV badges into\nthe physical access control system. In addition, we found that administrative\nofficers, or designated persons in charge of enrolling badges into the physical\naccess control system, are not informed in most cases by OHR or the badge\nholders (i.e., SEC employees and contractors) that they are in possession of a\nPIV credential so it can be enrolled. As a result, the SEC has not met the HSPD-\n12\xe2\x80\x99s requirements to use the PIV cards to gain physical access to the SEC\xe2\x80\x99s\nregional office facilities and thus, has not taken advantage of the significant\nbenefits of the PIV cards, as noted above, including greater security by virtue of\nenhanced authentication, increased government efficiency, reduction of identity\nfraud, and increased protection of personal privacy.\n\n    Recommendation 13:\n\n    The Office of Administrative Services should communicate to regional office\n    staff its expectations for enrolling Personal Identity Verification credentials\n    into their physical access control systems and using the Personal Identity\n    Verification credential as the primary badge for physical access to Securities\n    and Exchange Commission facilities.\n\n    Management Comments. OAS concurred with the recommendation. See\n    Appendix VI for management\xe2\x80\x99s full comments.\n\n    OIG Analysis. We are pleased that OAS concurred with this\n    recommendation.\n\n    Recommendation 14:\n\n    The Office of the Executive Director should require administrative officers in\n    the regional offices, or designated points of contact, to enroll Personal Identity\n    Verification cards in the Securities and Exchange Commission\xe2\x80\x99s physical\n    access control system.\n\n    Management Comments. OED concurred with the recommendation. See\n    Appendix VI for management\xe2\x80\x99s full comments.\n\n    OIG Analysis. We are pleased that OED concurred with this\n    recommendation.\n\n\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                  March 31, 2011\nReport No. 481\n                                               26\n\x0c     Recommendation 15:\n\n     The Office of the Executive Director should communicate to all Securities and\n     Exchange Commission employees and contractors their responsibility to\n     inform the appropriate regional office official that they have been issued a\n     Personal Identity Verification card so that the card can be enrolled into the\n     Securities and Exchange Commission\xe2\x80\x99s physical access control system.\n\n     Management Comments. OED concurred with the recommendation. See\n     Appendix VI for management\xe2\x80\x99s full comments.\n\n     OIG Analysis. We are pleased that OED concurred with this\n     recommendation.\n\n\nFinding 5: OAS\xe2\x80\x99s Physical Security Branch\nBadging Policy Is Outdated and Does Not Include\nProcedures for Issuance and Revoking of Badges\n        OAS\xe2\x80\x99s Physical Security Branch does not have current\n        policies and procedures for issuing and revoking badges or\n        for requiring the use of the PIV credentials as the common\n        means of authentication for access to SEC facilities and\n        information systems. As a result, SEC employees and\n        contractors could obtain access to SEC facilities beyond\n        their separation date and also may be unaware of the right to\n        appeal a decision denying or revoking their credentials.\n\nOMB Circular A-123 states, \xe2\x80\x9cManagement controls are the organization, policies,\nand procedures used to reasonably ensure that: (i) programs achieve their\nintended results; (ii) resources are used consistent with agency mission; (iii)\nprograms and resources are protected from waste, fraud, and mismanagement;\n(iv) laws and regulations are followed; and (v) reliable and timely information is\nobtained, maintained, reported and used for decision making.\xe2\x80\x9d 51\n\nFIPS 201-1 provides that an agency\xe2\x80\x99s PIV implementation must include \xe2\x80\x9ca\nrevocation process . . . such that expired or invalidated credentials are swiftly\nrevoked.\xe2\x80\x9d 52 Further, FIPS 201-1 states, \xe2\x80\x9cThe PIV credential shall be revoked if\nthe results of the investigation so justify.\xe2\x80\x9d 53 In addition, FIPS 201-1 requires\n\n\n51\n   The Office of Management and Budget\xe2\x80\x99s, Circular A-123, To the Heads of Executive Departments and\nEstablishments; From: Alice M. Rivlin, Director; Subject Management Accountability and Control; Revised\nJune 21, 1995; http://www.whitehouse.gov/omb/circulars_a123/ (Accessed on 02/03/2011).\n52\n   FIPS 201-1, p. 5, http://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf.\n53\n   FIPS 201-1, p. 6, http://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                     March 31, 2011\nReport No. 481\n                                                   27\n\x0cagencies to \xe2\x80\x9c[m]aintain appeals procedures for those who are denied a credential\nor whose credentials are revoked.\xe2\x80\x9d 54\n\nIn addition, M-05-24 requires agencies, prior to identification issuance, to\n\xe2\x80\x9c[d]evelop, implement and post in multiple locations (e.g., agency intranet site,\nhuman resource offices, regional offices, provide at contractor orientation, etc.)\n[the] department\xe2\x80\x99s or agency\xe2\x80\x99s \xe2\x80\xa6 appeals procedures for those denied\nidentification or whose identification credentials are revoked\xe2\x80\xa6.\xe2\x80\x9d55\n\nIn addition, OMB Memorandum M-11-11, Continued Implementation of\nHomeland Security Presidential Directive (HSPD) 12 \xe2\x80\x93 Policy for a Common\nIdentification Standard for Federal Employees and Contractors, 56 states that\n\xe2\x80\x9ceach agency should develop and issue an implementation policy, by March 31,\n2011, through which the agency will require the use of the PIV credentials as the\ncommon means of authentication for access to that agency\xe2\x80\x99s facilities, networks,\nand information systems.\xe2\x80\x9d Based on our review of the SEC\xe2\x80\x99s policies and\nprocedures, we determined that the agency has not developed and issued an\nimplementation policy that requires the use of the PIV credentials as the common\nmeans of authentication for access to the SEC\xe2\x80\x99s facilities, networks, and\ninformation systems.\n\nFurther, GSA\xe2\x80\x99s PIV Card Issuer Operations Plan states in Section 4.1.3,\nExpiration Date Requirements, that \xe2\x80\x9cAll credentials issued by MSO [GSA\xe2\x80\x99s\nManaged Service Office] must have an expiration date printed on the card. The\nexpiration date for all credentials must be 5 years or less from the date of\nissuance. The expiration date of Foreign Nationals cannot exceed the expiration\ndate of their INS documents (green card, work permit, etc.).\xe2\x80\x9d57\n\nWe found that the Physical Security Branch does not have formal, approved\noperating procedures. We were informed by Physical Security Branch staff that\nthe operating procedures were in draft and are currently under internal review.\n\nAdditionally, we determined that the SEC\xe2\x80\x99s existing badging policy, SECR 5-2,\nIdentification Cards, Press Passes and Proximity Access Control Cards, 58 is\noutdated and does not reflect the SEC\xe2\x80\x99s current badging policies and procedures\nor identify the types of badges that are issued. The existing badging policy does\nnot include policies or procedures for (1) the various badge types that the SEC\nissues (including visitor and PIV badges), (2) revoking badges, or (3) appealing\n\n\n54\n   FIPS 201-1, p. 7, http://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf.\n55\n   M-05-24, p. 9, Section 6.F, http://www.whitehouse.gov/omb/memoranda/fy2005/m05-24.pdf.\n56\n   OMB Memorandum M-11-11, Continued Implementation of Homeland Security Presidential Directive\n(HSPD) 12 \xe2\x80\x93 Policy for a Common Identification Standard for Federal Employees and Contractors, February\n3, 2011, http://www.whitehouse.gov/sites/default/files/omb/memoranda/2011/m11-11.pdf.\n57\n   GSA USAccess PIV Card Issuer Operations Plan, Version 1.0, CM # GSA-DI-0000129-1.4.0, August 1,\n2007, Section 4.1.3, p. 80.\n58\n   SECR 5-2, Identification Cards, Press Passes and Proximity Access Control Cards, November 8, 1999,\nhttp://insider.sec.gov/policies_procedures/admin_regulations/r5-2.html.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                     March 31, 2011\nReport No. 481\n                                                   28\n\x0crevocation of badges. 59 In addition, the existing badging policy is not consistent\nwith the SEC\xe2\x80\x99s current informal policies and procedures for issuance of badges.\nFor example, SECR 5-2 provides that regular SEC identification cards are valid\nfor three years. 60 However, Physical Security Branch staff informed us that its\nnormal protocol is to issue a badge for two years from the date of issuance, and\nthat the expiration date of the badge is not always consistent with the termination\ndate requested by the Administrative Office or Designee on the\nIdentification/Access Control Card Worksheet. The Identification/Access Control\nCard Worksheet is used by the Physical Security Branch to create badges for\nemployees and contractors. In addition, we found that PIV credentials are issued\nwith a standard five-year expiration date and, in some cases, have exceeded the\ncontractor end-dates and could potentially exceed the expiration dates of INS\ndocuments (e.g., green card, work permit) for foreign nationals.\n\nWe also reviewed SECR 5-2 61 to determine if the SEC\xe2\x80\x99s appeals procedures for\nindividuals who are denied identification and its revocation process for expired or\ninvalidated credentials were appropriately documented and posted to the SEC\xe2\x80\x99s\nintranet site. We found that SECR 5-2 does not include the SEC\xe2\x80\x99s appeal\nprocedures for individuals whose credentials were denied or revoked.\n\nWe also obtained a physical access control log report from the SEC\xe2\x80\x99s physical\naccess control system (PACS), on September 7, 2010. After reviewing the\nPACS log, we found that there were multiple instances where employees or\ncontractors were issued and are in possession of two types of badges that permit\nphysical access (1) a PIV badge (referred to in the log as PIV II Template) and\n(2) a SEC badge (referred to in the log as Default Template).\n\nDuring an interview with OAS staff, we were informed that it is OAS\xe2\x80\x99s expectation\nthat the HSPD-12 badges will be used as the primary physical access badge for\nemployees and contractors requiring physical access to SEC facilities for more\nthan six months. Although OAS indicated that the HSPD-12 badge will be the\nprimary physical access badge, we were informed that OAS determined that it\nwould allow the currently issued SEC badges to expire in lieu of revoking them\nfrom current users (employees and contractors). In addition, in an interview with\nPhysical Security Branch staff, we were informed that the Physical Security\nBranch determined that it would not revoke SEC badges for individuals who have\nbeen issued HSPD-12 badges, because the Physical Security Branch felt that\ndeactivating SEC-issued badges would \xe2\x80\x9cunnerve\xe2\x80\x9d employees and contractors,\nwho prefer the SEC-issued badge over HSPD-12 badge.\n\n\n\n59\n   The SEC OIG issued Report of Investigation No. OIG-544, OIT Contract Employees Given Access to SEC\nBuildings and Computer Systems for Several Weeks Before Background Investigation Clearance, on\nJanuary 20, 2011. The Report of Investigation found that the Physical Security Branch has no written policy\navailable on when visitor badges are to be issued.\n60\n   SECR 5-2, Section 2.a(3), http://insider.sec.gov/policies_procedures/admin_regulations/r5-2.html.\n61\n   SECR 5-2, Section A.2.a(3), http://insider.sec.gov/policies_procedures/admin_regulations/r5-2.html.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                      March 31, 2011\nReport No. 481\n                                                   29\n\x0cAs previously mentioned, the OIG sent a survey to administrative officers or other\ndesignated persons in the SEC\xe2\x80\x99s 11 regional offices to obtain an understanding\nof the regional offices\xe2\x80\x99 badging practices. Our survey asked, \xe2\x80\x9cWhen an SEC\nemployee is no longer employed at the SEC (retires, quits, is terminated,\ntransfers to a job outside of the SEC, etc.), identify who obtains the employees\nbadge.\xe2\x80\x9d The survey respondents answered as follows:\n\n        \xe2\x80\xa2    16.7 percent \xe2\x80\x93 \xe2\x80\x9cI obtain the badge and retain it in my\n             office desk/cabinet or in a secured desk/cabinet.\xe2\x80\x9d\n        \xe2\x80\xa2    16.7 percent \xe2\x80\x93 \xe2\x80\x9cI obtain the badge and return it to the\n             SEC\xe2\x80\x99s badging office.\xe2\x80\x9d\n        \xe2\x80\xa2    16.7 percent \xe2\x80\x93 \xe2\x80\x9cI obtain the badge and return it to the\n             SEC\xe2\x80\x99s OHR, Personnel Security Branch.\xe2\x80\x9d\n        \xe2\x80\xa2    8.3 percent \xe2\x80\x93 \xe2\x80\x9cI obtain the badge and shred it, put it in a\n             recycling bin, or put it in a trash receptacle.\xe2\x80\x9d\n        \xe2\x80\xa2    8.3 percent \xe2\x80\x93 \xe2\x80\x9cI do not know.\xe2\x80\x9d\n        \xe2\x80\xa2    33.3 percent \xe2\x80\x93 Other.\n\nThus, our survey indicated that there were widely varying practices among the\nregional offices for the proper disposition of the badges of employees who have\nseparated from the SEC. We noted that SECR 5-2 states that in the Regional\nand District Offices, the Administrative Contact or Staffing Assistant should\ndestroy the employee\xe2\x80\x99s regular identification card or special credential by cutting\nit into pieces and documenting the date of destruction in a logbook. 62 However,\nthis policy was issued in November 1999 and may no longer reflect the proper\nprocedures for disposition of the badges of separated SEC employees.\n\nIn addition, we surveyed administrative officers or other designated persons in\nthe regional offices about the actions they take when a contractor separates, and\n91 percent of the respondents indicated that they collect the badges. We noted\nthat SECR 5-2 does not specify any procedure for handling the badges of\nseparated contractors in the regional offices. 63\n\nWe also surveyed contracting officials, including Contracting Officers (CO),\nContract Specialists, COTRs, and IAOs across the Commission regarding what\nhappens to contractors\xe2\x80\x99 badges when they separate or when their period of\nperformance ends. Overall, 87 of 196 contracting officials responded to the\nsurvey; however, only 76 of the respondents completed the survey. In response\nto the question, \xe2\x80\x9cWhen a contractor is no longer assigned to an SEC contract\n(e.g., separation, termination, removal), or when the contract\xe2\x80\x99s period of\nperformance ends, identify the disposition of the SEC badge,\xe2\x80\x9d survey\nrespondents stated the following:\n\n\n\n62\n  SECR 5-2, Section 10.c(3), http://insider.sec.gov/policies_procedures/admin_regulations/r5-2.html.\n63\n  SECR 5-2, Section 10.c, http://insider.sec.gov/policies_procedures/admin_regulations/r5-2.html.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                    March 31, 2011\nReport No. 481\n                                                  30\n\x0c             \xe2\x80\xa2   23.4 percent \xe2\x80\x93 The badge is returned to the SEC\xe2\x80\x99s\n                 badging office.\n             \xe2\x80\xa2   26 percent \xe2\x80\x93 Did not know the disposition of the\n                 badge.\n             \xe2\x80\xa2   7.8 percent \xe2\x80\x93 The badge is taken by the CO, COTR,\n                 or IAO.\n             \xe2\x80\xa2   6.5 percent \xe2\x80\x93 The badge is taken to the OHR\n                 Personnel Security Branch.\n             \xe2\x80\xa2   36.4 percent \xe2\x80\x93 Other.\n\nAccording to the procedures outlined in SECR 5-2, contractors are required to\nturn in their identification cards to their COTR upon termination of the contract,\nemployment, etc. 64 However, this policy does not provide guidance to the\nCOTRs on their responsibilities for handling badges once the contractor has\nbeen terminated or the contract\xe2\x80\x99s period of performance has ended. Additionally,\nwe were unable to locate any policy or procedure that specified how COTRs\nshould handle badges once they have received them from contractors.\n\nBased on the results of both of our surveys, we found that the regional offices\nand contracting officials are not consistently obtaining the badges of employees\nand contractors who are separating from the SEC and there is no consistent\npractice for handling the badges of separated employees and contractors.\nFurther, we found that the SEC does not have any updated policies and\nprocedures for revoking PIV badges. In addition, we were unable to locate any\nreferences to the SEC\xe2\x80\x99s appeal procedures for individuals who have had\ncredentials denied or revoked.\n\nAs a result, SEC employees and contractors could obtain physical access\nto SEC facilities beyond their separation date. In addition, employees and\ncontractors who are denied credentials or whose credentials are revoked\nmay be unaware of their rights to due process and their ability to appeal\nthe initial decision.\n\n     Recommendation 16:\n\n     The Office of the Executive Director should develop and implement a policy\n     requiring the Personal Identity Verification badge to be used as a common\n     and primary means of authentication for physical and logical access.\n\n     Management Comments. OED concurred with the recommendation. See\n     Appendix VI for management\xe2\x80\x99s full comments.\n\n     OIG Analysis. We are pleased OED concurred with this recommendation.\n\n64\n  SECR 5-2, Sections 10.a(3) and 10.b(2), http://insider.sec.gov/policies_procedures/admin_regulations/r5-\n2.html. We note that these requirements only pertain to the Commission\xe2\x80\x99s former Headquarters building\n(Judiciary Plaza) and the Operations Center/ Annex, and are thus outdated.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                    March 31, 2011\nReport No. 481\n                                                   31\n\x0c    Recommendation 17:\n\n    The Office of Administrative Services should revise and update its\n    Identification Cards, Press Passes and Proximity Access Control Cards policy\n    to reflect current and proper practices for issuance and revocation of badges,\n    including Personal Identify Verification cards, to Securities and Exchange\n    Commission employees and contractors at all Commission facilities and post\n    the revised policy on the Commission\xe2\x80\x99s intranet site. In addition, the Office of\n    Administrative Services should communicate the new policy to all employees\n    and contracting officials.\n\n    Management Comments. OAS concurred with the recommendation. See\n    Appendix VI for management\xe2\x80\x99s full comments.\n\n    OIG Analysis. We are pleased that OAS concurred with this\n    recommendation.\n\n    Recommendation 18:\n\n    The Office of Administrative Services should develop and implement a plan to\n    systematically revoke all Commission-issued badges for all employees and\n    contractors who have been issued Personal Identify Verification badges and\n    ensure the plan is implemented within six months of the date this report is\n    issued.\n\n    Management Comments. OAS concurred with the recommendation. See\n    Appendix VI for management\xe2\x80\x99s full comments.\n\n    OIG Analysis. We are pleased that OAS concurred with this\n    recommendation.\n\n    Recommendation 19:\n\n    The Office of Human Resources should develop, implement, and post in\n    multiple locations (agency intranet site, human resource offices, regional\n    offices, contractor orientation, etc.) its appeals procedures for individuals who\n    are denied credentials or whose credentials are revoked.\n\n    Management Comments. OHR concurred with the recommendation. See\n    Appendix VI for management\xe2\x80\x99s full comments.\n\n    OIG Analysis. We are pleased that OHR concurred with this\n    recommendation.\n\n\n\n\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                  March 31, 2011\nReport No. 481\n                                               32\n\x0cFinding 6: OHR\xe2\x80\x99s Personnel Security Branch\nDoes Not Have Policies and Procedures for\nAdjudicating Foreign Nationals\n        OHR\xe2\x80\x99s Personnel Security Branch does not have policies or\n        procedures specific to adjudicating foreign nationals. As a\n        result, the Personnel Security Branch may be inconsistently\n        applying suitability guidelines to foreign nationals.\n\nM-05-24 provides, \xe2\x80\x9cSince Foreign National employees and contractors may not\nhave lived in the United States long enough for a NACI [National Agency Check\nwith Inquiries] to be meaningful, agencies should conduct an equivalent\ninvestigation, consistent with your existing policy.\xe2\x80\x9d 65 As described in the OPM\nSuitability Processing Handbook, a NACI investigation consists of searches of\nthe following records: OPM\xe2\x80\x99s Security/Suitability Investigations Index (SII); an\nFBI Name Check and National Criminal History fingerprint check; the Department\nof Defense Clearance & Investigations Index; and other records covering specific\nareas of an individual\xe2\x80\x99s background. In addition, a NACI includes written inquires\nto references, employers, places of education and residence, and other record\nsources covering specific areas of an individual\xe2\x80\x99s background. 66\n\nThe OPM Suitability Processing Handbook further states, \xe2\x80\x9cMaterials to be\nretained for an OPM Appraisal. The following information pertaining to suitability\nadjudications will be maintained for OPM review: The agency\xe2\x80\x99s suitability\nregulations and/or instructions.\xe2\x80\x9d67 We found that SEC\xe2\x80\x99s OHR Personnel Security\nBranch adopted OPM\xe2\x80\x99s Suitability Processing Handbook as its primary guide for\nall suitability investigations as a result of an OIG recommendation contained in\nthe 2008 Background Investigations inspection report. 68 However, based on our\nreview of OPM\xe2\x80\x99s Suitability Processing Handbook, we determined that the\nhandbook does not have procedures or policies for adjudicating Foreign\nNationals.\n\nIn addition, although the Personnel Security Branch had previously informed the\nOIG that procedures for processing foreign nationals participating in the SEC\xe2\x80\x99s\nLaw Student Observer program had been completed, it did not produce any such\nprocedures. Therefore, we were unable to confirm that procedures for\nprocessing foreign national student observers were developed or issued.\n\nAs a result, personnel security activities with respect to foreign nationals may not\nbe consistently followed or conducted in accordance with federal requirements.\n\n\n65\n   M-05-24, page 5, http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2005/m05-24.pdf.\n66\n   OPM Suitability Processing Handbook, September 2008, p. 3.\n67\n   OPM Suitability Processing Handbook, September 2008, p. XI-3, Section D.\n68\n   OIG Background Investigations Inspection Report No. 434, March 28, 2008, Recommendation A.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                  March 31, 2011\nReport No. 481\n                                                 33\n\x0cIn addition, background investigations of foreign nationals may be adjudicated\nusing record searches that are not equivalent to a NACI.\n\n     Recommendation 20:\n\n     The Office of Human Resources should develop internal policies and\n     procedures for suitability determinations for foreign nationals.\n\n     Management Comments. OHR concurred with the recommendation. See\n     Appendix VI for management\xe2\x80\x99s full comments.\n\n     OIG Analysis. We are pleased that OHR concurred with this\n     recommendation.\n\n\nFinding 7: OIT is Unaware of the Number of\nDevices in Its Inventory That Would Physically\nPermit Authentication of PIV Cardholders\nAccessing SEC\xe2\x80\x99s Logical Information Resources\n        OIT\xe2\x80\x99s asset inventory does not account for keyboards and\n        lacks detail to easily verify laptops that have physical\n        features (i.e., card readers) to permit authentication of PIV\n        credentials. As a result, there is a risk that OIT will purchase\n        additional equipment to support the use of PIV credentials\n        for logical access when it already has the equipment in its\n        inventory.\n\nHSPD-12 requires that by October 2005, eight months after promulgation of the\nStandard, the SEC should require the use of the PIV credential for gaining logical\naccess to federally controlled information systems. 69\n\nIn our report 2010 Annual FISMA Executive Summary Report, Report No. 489,\nwe found that OIT has not completed logical access integrations of PIV\ncredentials. As a result, we recommended that OIT complete the logical access\nintegration of the HSPD-12 cards by no later than December 2011, as the SEC\nhad reported to OMB on December 31, 2010.\n\nIn addition to the above-mentioned finding and recommendation, we found that\nOIT has deployed keyboards and laptops that have card readers to employees\nand contractors without tracking which specific devices actually have card\nreaders. Furthermore, in the survey we issued to the regional offices, 9 of 11\n\n69\n  HSPD-12, http://csrc.nist.gov/drivers/documents/Presidential-Directive-Hspd-12.html.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                  March 31, 2011\nReport No. 481\n                                                   34\n\x0cregional office representatives responded that desktops have not been deployed\nto support logical access to the SEC\xe2\x80\x99s network using HSPD-12 badges.\n\nOIT informed us that it has not tracked the number of keyboards containing card\nreaders because it has classified keyboards as a consumable device 70 and\nconsequently has not maintained an inventory of them. Based on our audit, we\nbelieve this information should be tracked notwithstanding the classification of\nkeyboards as a consumable device because it is important for OIT to know\nwhether keyboards contain card readers to avoid unnecessary expenditures. In\naddition, OIT\xe2\x80\x99s asset inventory does not contain detailed information regarding\nwhich laptops have card readers installed. As a result, the SEC is not aware of\nthe hardware in its inventory that can be used for authentication once the SEC\ndeploys identity management software throughout the enterprise to support the\nlogical access requirements of HSPD-12. Without conducting an inventory of all\nkeyboards and laptops with card readers, OIT may unnecessarily purchase new\nkeyboards and laptops with card readers or external card readers. By identifying\nthe keyboards and laptops that have card readers, OIT will be able to save the\nagency the unnecessary costs of purchasing additional equipment.\n\n     Recommendation 21:\n\n     The Office of Information Technology should immediately conduct an audit of\n     its inventory to identify and track all keyboards and laptops that contain card\n     readers.\n\n     Management Comments. OIT concurred with the recommendation. See\n     Appendix VI for management\xe2\x80\x99s full comments.\n\n     OIG Analysis. We are pleased that OIT concurred with this\n     recommendation.\n\n     Recommendation 22:\n\n     The Office of Information Technology should promptly deploy appropriate\n     technology (e.g., laptops with internal card readers, keyboards with card\n     readers, or external card readers) to employees and contractors who do not\n     have card readers.\n\n     Management Comments. OIT concurred with the recommendation. See\n     Appendix VI for management\xe2\x80\x99s full comments.\n\n     OIG Analysis. We are pleased that OIT concurred with this\n     recommendation.\n\n\n70\n  OIT considers a \xe2\x80\x9cconsumable device\xe2\x80\x9d to include a piece of hardware such as a keyboard or a mouse that\ncosts less than $250 and is not a storage device (e.g., an external hard drive).\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                  March 31, 2011\nReport No. 481\n                                                 35\n\x0cFinding 8: OIT Has Unnecessarily Employed Two\nFull-Time Registrars\n        OIT employs two full-time registrars; however, based on the\n        average number of transactions processed per day, the SEC\n        requires only one part-time registrar.\n\nAs described in FIPS 201-1, a registrar (also referred to as a PIV registrar) is\nresponsible for identity proofing of applicants and ensuring the successful\ncompletion of background checks. In addition, the registrar provides the final\napproval for the issuance of a PIV credential to the applicant. 71\n\nAt the onset of HSPD-12 implementation, OIT decided to use a shared service\nprovider, GSA, for its implementation of HSPD-12. GSA has provided the SEC\nwith an identity management and credentialing solution for end-to-end services,\nincluding proofing and registering applicants, issuing credentials, and managing\nthe lifecycle of credentials.\n\nGSA Managed Service Offices (MSOs) are conveniently located throughout the\nUnited States and have multiple locations in the District of Columbia (D.C.)\nmetropolitan area. Although MSOs are located throughout the D.C. metropolitan\narea, GSA established an MSO office at SEC headquarters due to its proximity to\nUnion Station. GSA provided the enrollment and activation stations at no cost to\nthe SEC, but with the stipulation that the MSO at the SEC would be a shared\ncenter, meaning it would be available to both SEC employees and contractors\nand non-SEC employees and contractors.\n\nIn addition, for a limited period of time, GSA provided the SEC with one registrar\nat no cost. The SEC agreed to house the MSO at headquarters to afford SEC\nemployees and contractors the convenience of registering and activating\ncredentials without having to go off-site. However, SEC employees and\ncontractors who work in the regional offices would be required to register and\nactivate credentials at their local MSO. While the SEC initially did not pay for the\nregistrar located at SEC headquarters, beginning in June 2009, as a result of\ndelays in the SEC\xe2\x80\x99s implementation of the HSPD-12 initiative, the SEC began\npaying for the headquarters registrar. The SEC is paying approximately $72,000\nannually for a full-time register at its headquarters. In June 2010, at the request\nof OIT, the SEC opened a second MSO at the Operations Center on the premise\nthat it would be less costly to pay for an on-site station than to have contractors\nspend several hours going back and forth between the Operations Center and\nheadquarters to register and activate their credentials. The MSO located at the\nOperations Center is also operated by a full-time register, which costs the\n\n\n\n71\n  FIPS 201-1, page 52, http://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                       March 31, 2011\nReport No. 481\n                                                    36\n\x0cCommission an additional $72,000 72 annually. The Operations Center MSO is\nonly for the use of SEC employees and contractors and is not a shared center.\n\nBased upon interviews and a review of the registrar schedule, we determined\nthat for each transaction to register or activate an HSPD-12 badge, the registrar\nis allocated 15 minutes to complete the transaction. The SEC\xe2\x80\x99s HSPD-12\nagency role administrator provided the number of transactions that occurred at\nboth MSO offices located in SEC facilities, at headquarters and the Operations\nCenter, from May 2010 through November 2010. Based on the data provided by\nthe SEC, we determined that the MSOs, on behalf of the SEC, processed a total\nof 1,215 transactions \xe2\x80\x94 1,029 at headquarters (an average of 147 transactions\nper month and 7 transactions per day) 73 and 186 at the Operations Center (an\naverage of 27 transactions per month and 1 transaction per day). 74 See Table 4\nbelow for a breakdown of the number of transactions by month.\n\n     Table 4: Number of Transactions Processed between May\n     2010 and November 2010 by Registrars\n               Month                     Headquarters             Operations Center\n      May 2010                                 113                           44\n      June 2010                                136                           17\n      July 2010                                185                           14\n      August 2010                              141                           37\n      September 2010                           199                           20\n      October 2010                             132                           37\n      November 2010                            123                           17\n      Total                                   1,029                         186\n     Source: OIG-generated.\n\nBased on our analysis of the transaction data, we determined that the register at\nheadquarters is processing an average of only seven transactions in an eight-\nhour workday, and the registrar at the Operations Center is processing only one\ntransaction in an eight-hour workday. Yet we determined from a review of the\nGSA scheduling timeframes that it takes approximately 15 minutes to complete a\ntransaction. Therefore, the registrar at headquarters is working on processing\ntransactions for an average of only one hour and 45 minutes per day, 75 and the\n\n\n72\n   This number, $72,000, is an approximation not an exact figure.\n73\n   We calculated the average number of transactions per month of 147 by dividing the total number\ntransactions at Headquarters of 1,029 by seven months. Based on 20 working days per month and average\ntransactions per month of 147, we calculated the average transactions per day to be 7.35, and rounded to 7\ntransactions per day.\n74\n   We calculated the average number of transactions per month of 27 by dividing the total number of\ntransactions at the Operations Center of 186 by seven months and rounding up. Based on 20 working days\nper month and the average transactions per month of 27, we calculated the average transactions per day to\nbe 1.35, rounded to one transaction per day.\n75\n   Based on the average number of transactions per day at Headquarters of seven, multiplied by the time\nallotted for a transaction of 15 minutes, divided by 60 minutes (number of minutes in an hour), the average\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                       March 31, 2011\nReport No. 481\n                                                     37\n\x0cregistrar at the Operations Center is working on processing transactions for an\naverage of only 15 minutes per day. 76 Combined, the registrars are spending an\naverage of only two hours per day processing transactions. The SEC could\nrealize a significant cost savings by eliminating one full-time registrar and making\nthe other registrar part-time, 77 for a total cost savings of $108,000 annually. This\n$108,000 represents the cost the OIG identified that is considered cost savings\nand/or funds put to better use. See Table 5 in Appendix V for cost savings.\n\nDelays in the SEC\xe2\x80\x99s implementation of the HSPD-12 directive caused the SEC to\nfail to realize the benefits of using a full-time registrar at no cost to the\nCommission. If the SEC had achieved the time requirements set forth in the\nimplementation standard, the agency would have issued badges to all employees\nand contractors and integrated the credentials into their physical and logical\naccess controls systems by October 2008. As a result of implementation delays,\nOIT has had to pay for the cost of the registrar located at headquarters since\nJune 2009.\n\nIn addition, the SEC did not conduct an analysis before employing a second full-\ntime registrar or consider alternative options, such as splitting the time of the\nexisting registrar between both facilities or hiring a part-time registrar to work at\nthe Operations Center. While OIT represented that managers determined it\nwould be cheaper, they were unable to provide a formal analysis. As a result,\nthe SEC has expended a total of approximately $144,000 78 which would not have\nhad to be spent if the Commission had implemented HSPD-12 within the\nrequired timeframes. 79 Moreover, by not conducting an analysis prior to\nemploying an additional full-time registrar, the SEC has expended unnecessary\ncosts to employ two full-time registrars when, based on an eight-hour workday,\nthe two registrars combined are spending an average of only two hours per day\nprocessing transactions.\n\n\n\n\namount of time used to process transactions in an eight-hour work day is 1.75 hours or one hour and 45\nminutes.\n76\n   Based on the average number of transactions per day at the Operations Center of one multiplied by the\ntime allotted for a transaction of 15 minutes, divided by 60 minutes (number of minutes in an hour), the\naverage amount of time used to process transactions in an eight-hour workday is 0.25 hours, or 15 minutes.\n77\n   The annual cost of one registrar is approximately $72,000 (eight-hour work day), and the cost of a\nregistrar working a four-hour workday equals approximately $36,000.\n78\n   The total expended to employ a registrar located at Headquarters is the annual cost of $72,000 multiplied\nby 1.5 years (June 2009 \xe2\x80\x93 December 2010), which equals $108,000. The total cost expended for the\nregistrar located at the Operations Center is the annual cost of $72,000 multiplied by .5 year (June 2010 \xe2\x80\x93\nDecember 2010), which is $36,000. Therefore, the total cost of employing registrars at Headquarters and\nthe Operations Center from June 2009 through December 2010 was approximately $144,000.\n79\n   The requisite timeframes included verification and/or completion of background investigation for all current\nemployees and contractors, except for employees with more than 25 years of federal service by October 27,\n2007, and completion of background investigations for all employees with more than 15 years of federal\nservice by October 27, 2008. M-05-24, p. 6,\nhttp://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2005/m05-24.pdf.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                        March 31, 2011\nReport No. 481\n                                                     38\n\x0c     Recommendation 23:\n\n     The Office of Information Technology should eliminate one-full time registrar\n     and split the time of the other full-time registrar between the Operations\n     Center and headquarters locations.\n\n     Management Comments. OIT concurred with the recommendation. See\n     Appendix VI for management\xe2\x80\x99s full comments.\n\n     OIG Analysis. We are pleased that OIT concurred with this\n     recommendation.\n\n\nFinding 9: OAS\xe2\x80\x99s Physical Security Branch Is Not\nMaintaining Visitor Logs in Accordance with the\nApplicable Record Retention Policies\n        OAS\xe2\x80\x99s Physical Security Branch is not maintaining visitor\n        record logs in accordance with the National Archives and\n        Records Administration\xe2\x80\x99s (NARA) two-year general records\n        schedule. As a result, the Physical Security Branch is\n        unable to analyze visitor logs to determine if visitors are\n        accessing the agency inappropriately (i.e., circumventing the\n        badging process for persons requiring access longer than six\n        months).\n\nThe Physical Security Branch maintains visitor control logs (referred to as the e-\nvisitor, or the EZLobby or eAdvance system) for 90 days. The EZLobby system\nis used by the Physical Security Branch staff at headquarters and the Operations\nCenter to capture detailed visitor information and issue badges. The EZLobby\nsystem allows the Physical Security Branch personnel at headquarters and the\nOperations Center to share visitor information, and it allows SEC employees to\nuse a web-based tool (eAdvance) to pre-register guests and receive e-mail\nnotification when visitors check in. Finally, EZLobby allows OAS managers to\nperform analysis of and generate reports on visitor data. 80\n\nNARA\xe2\x80\x99s General Records Schedule 18, Security and Protective Services\nRecords, Section 17, Visitor Control Files, states, \xe2\x80\x9cRegisters or logs used to\nrecord names of outside contractors, service personnel, visitors, employees\nadmitted to areas, and reports on automobiles and passengers. (a) For areas\nunder maximum security. Destroy 5 years after final entry or 5 years after date of\ndocument, as appropriate. (b) For other areas. Destroy 2 years after final entry\n\n80\n  List of SEC Systems. http://intranet.sec.gov/knowledge_center/SEC%20Systems/index.html.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                March 31, 2011\nReport No. 481\n                                                39\n\x0cor 2 years after date of document, as appropriate.\xe2\x80\x9d81 The Physical Security\nBranch informed us that EZLobby logs are maintained for 90 days. On\nNovember 16, 2010, the Physical Security Branch provided the OIG with a copy\nof data retrieved from OAS\xe2\x80\x99s e-Visitor (also called EZLobby or eAdvance)\nsystem. After reviewing the data output \xe2\x80\x9ccheck in\xe2\x80\x9d and \xe2\x80\x9ccheck out\xe2\x80\x9d dates, we\nconfirmed that the e-Visitor log provided by the Physical Security Branch was for\nonly a 90-day period (August 15, 2010, to November 16, 2010). Retention of\nvisitor logs for 90 days does not satisfy the two-year retention requirement set\nforth by the NARA General Records Schedule for Security and Protective\nServices Records.\n\nFurther, an initial review of data output from EZlobby revealed that some names\nappeared multiple times. As a result, we sorted the data output by last name and\nthen first name using Microsoft Excel. Upon completion of the data sort, we\nreviewed and analyzed the results to identify individuals who appeared to have\nvisited the SEC on a frequent and sometimes daily basis between August 15,\n2010, and November 16, 2010. Of the 16,766 entries in data output from\nEZLobby, approximately 107 visitors accessed the SEC almost daily during the\ntime period examined. The Security Reminder contained in the SEC\xe2\x80\x99s eAdvance\nVisitor Pre-Registration System states, \xe2\x80\x9cEZLobby badges are temporary badges\nissued to SEC visitors or individuals required to be on site for one day. An\nEZLobby badge requires an escort at all times. The EZLobby badge is not to be\nused in lieu of, or while your employee is waiting for issuance of a permanent\nbadge.\xe2\x80\x9d\n\nDue to the lack of data for a period beyond 90 days, we are unable to determine\nif visitors were obtaining access for a period greater than six months. However,\nwe were able to ascertain, based upon the frequency with which their names\nappeared in the data output, that approximately 107 visitors did not appear to\ncomply with the Security Reminder, which indicates that temporary badges are\nissued to visitors for one day and should not be used in lieu of a permanent\nbadge. Based on our review and analysis, we determined that the SEC is\npotentially permitting access to visitors through the issuance of daily visitor\npasses in circumvention of the SEC\xe2\x80\x99s HSPD-12 badging process.\n\nIn addition, M-05-24 states that agencies who employ temporary personnel\nshould \xe2\x80\x9c[d]evelop agency-specific visitor policies (as appropriate) for occasional\nvisitors.\xe2\x80\x9d 82 On January 20, 2011, the OIG issued Report of Investigation OIT\nContract Employees Given Access to SEC Buildings and Computer Systems for\nSeveral Weeks Before Background Investigation Clearance, Report No. OIG-\n544. The Report of Investigation determined that the Physical Security Branch\nhad no written policy for when visitor badges were to be issued and\nrecommended the issuance of a written policy on the proper issuance and\n\n81\n   NARA General Records Schedule 18, Security and Protective Services Records, Transmittal No. 22, April\n2010, http://www.archives.gov/records-mgmt/grs/grs18.html.\n82\n   M-05-24, page 11, http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2005/m05-24.pdf.\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                                  March 31, 2011\nReport No. 481\n                                                  40\n\x0cdocumentation of visitor badges, specifically noting that visitor badges cannot be\nissued in lieu of, or while awaiting, a permanent official SEC badge.\n\nIn summary, our audit found that the Physical Security Branch is maintaining\nvisitor logs for only 90 days, in violation of the NARA records retention\nrequirement. As a consequence, the Physical Security Branch is unable to\nreview visitor logs for a sufficient period of time to determine if visitors are\naccessing the agency inappropriately (i.e., on a daily basis or in lieu of a\npermanent badge). Moreover, OAS does not document the results of its analysis\nof visitor data. Due to these deficiencies, the Physical Security Branch is unable\nto ensure that individuals are not circumventing the SEC\xe2\x80\x99s HSPD-12 badging\nprocess by repeatedly obtaining visitor badges.\n\n    Recommendation 24:\n\n    The Office of Administrative Services should retain visitor control logs for a\n    period not less than two years after final entry or two years after date of\n    document in accordance with the National Archives and Records\n    Administration\xe2\x80\x99s General Records Schedule.\n\n    Management Comments. OAS concurred with the recommendation. See\n    Appendix VI for management\xe2\x80\x99s full comments.\n\n    OIG Analysis. We are pleased that OAS concurred with this\n    recommendation.\n\n    Recommendation 25:\n\n    The Office of Administrative Services should perform periodic analysis of\n    visitor data to ensure that visitors are not circumventing the HSPD-12\n    requirements.\n\n    Management Comments. OAS concurred with the recommendation. See\n    Appendix VI for management\xe2\x80\x99s full comments.\n\n    OIG Analysis. We are pleased that OAS concurred with this\n    recommendation.\n\n\n\n\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                  March 31, 2011\nReport No. 481\n                                               41\n\x0c                                                                         Appendix I\n\n\n                        Acronyms/Abbreviations\n\n CAS                    Civilian Applicant System\n CFR                    Code of Federal Regulations\n COTR                   Contracting Officer\xe2\x80\x99s Technical Representative\n DNI                    Director of National Intelligence\n ED                     Executive Director\n FBI                    Federal Bureau of Investigations\n FIPS                   Federal Information Processing Standards\n GSA                    General Services Administration\n HSPD-12                Homeland Security Presidential Directive\n IAO                    Inspection Acceptable Officer\n MSO                    Managed Service Office\n NACI                   National Agency Check with Inquiries\n NIST                   National Institute of Standards and Technology\n OAS                    Office of Administrative Services\n OED                    Office of the Executive Director\n OHR                    Office of Human Resources\n OIG                    Office of Inspector General\n OIT                    Office of Information Technology\n OMB                    Office of Management and Budget\n OPM                    Office of Personnel Management\n PACS                   Physical Access Control System\n PIN                    Personal Identification Number\n PIV                    Personal Identity Verification\n SEC                    U.S. Securities and Exchange Commission\n\n\n\n\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                  March 31, 2011\nReport No. 481\n                                               42\n\x0c                                                                       Appendix II\n\n\n                         Scope and Methodology\n\n\nWe conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objectives.\nWe determined that the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objectives.\n\nScope. We obtained information from OHR, OAS, and OIT on the SEC\xe2\x80\x99s\nimplementation and compliance with the HSPD-12. In addition, we surveyed the\nSEC\xe2\x80\x99s 11 regional offices\xe2\x80\x99 administrative officers to obtain an understanding if the\nagency has consistently implemented HSPD-12 across the board. Further, to\nobtain an understanding of the training and/or guidance received by contracting\nofficials such as CO\xe2\x80\x99s, Contract Specialists, COTRs, and IAOs on the SEC\'s\nHSPD-12 badging policies and procedures, we conducted a separate survey.\n\nWe conducted our fieldwork from August 2010 to February 2011. We reviewed\ndocumentation pertaining to the SEC\xe2\x80\x99s implementation and compliance with\nHSPD-12 for calendar years 2007 through 2010.\n\nMethodology. To meet the audit objective to determine if the SEC is fully\ncompliant with HSPD-12 and implementing standards and guidance, we\nreviewed the Implementation of Homeland Security Directive (HSPD) 12 \xe2\x80\x93 Policy\nfor a Common Identification Standard for Federal Employees and Contractors,\nOMB memoranda and circulars, NIST, and Federal Information Processing\nStandards governing HSPD-12, and other governing guidance to obtain an\nunderstanding of the agency\xe2\x80\x99s requirements for implementing HSPD-12. We\ndeveloped and issued two separate surveys to specific SEC staff as follows: (1)\none to the SEC\xe2\x80\x99s regional office staff who are responsible for badging or the\nadministrative functions and (2) one to persons having responsibility for\noverseeing contractors such as IOAs, Contracting Officers, COTRs, and\nContracting Specialists. The surveys included questions to determine if badges\nwere properly seized upon an SEC contractor\xe2\x80\x99s termination from the SEC or\nwhen the period of performance on a contract has ended. The surveys were\nfurther used to determine if consistent practices exist for seizing badges when a\ncontractor is terminated from the SEC or when a contractor\xe2\x80\x99s period of\nperformance has ended. We also assessed whether the SEC met the OMB\nguidance timeframes. In addition, we conducted interviews with staff in the\nOHR\xe2\x80\x99s Personnel Security Branch, OIT, and the OAS\xe2\x80\x99s Physical Security Office\nand Contracting Office to discuss their responsibilities related to the HSPD-12\ndirective.\n\n\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                March 31, 2011\nReport No. 481\n                                               43\n\x0c                                                                        Appendix II\n\n\nTo meet the audit objective for evaluating whether the SEC has adequate\ncontrols and the necessary processes and procedures to (1) perform background\ninvestigations, (2) adjudicate results, and (3) issue credentials, we reviewed\ndocumentation that supported the implementation of prior OIG recommendations\nto determine if the recommendations were properly closed. We further reviewed\nthe SEC\xe2\x80\x99s internal policies and procedures, operating procedures, and manuals\nthat apply to the HSPD-12 directive. Additionally, we conducted interviews with\nstaff in OHR and OED to discuss their procedures for performing background\ninvestigations, adjudicating results, and issuing credentials.\n\nTo meet the audit objective for evaluating the roles and responsibilities for the\nHSPD-12 initiative among the various offices involved in the process, including\nOAS, OHR, and OIT, we conducted interviews with staff in OHR\xe2\x80\x99s Personnel\nSecurity Branch, OIT, and OAS\xe2\x80\x99s Physical Security Office and Contracting Office\nto discuss their responsibilities related to the HSPD-12 directive. In addition, the\nsurvey we developed included questions to determine if staff in the SEC regional\noffices that are responsible for badging and persons having responsibility for\noverseeing contractors understand their roles and responsibilities for the HSPD-\n12 initiative, such as enrolling badges into the SEC\xe2\x80\x99s physical access control\nsystem.\n\nTo meet the audit objective for assessing compliance with HSPD-12 and\ndetermining whether all the necessary equipment was purchased to implement\nHSPD-12 throughout the SEC, we reviewed the results from the 2010 Annual\nFISMA Executive Summary Report, Report No. 489 and conducted interviews\nwith OIT and OAS staff. Additionally, we developed and issued a survey to the\nSEC\xe2\x80\x99s regional office staff who are responsible for badging or the administrative\nfunctions. The survey also included questions to determine if needed equipment\nhad been purchased to implement HSPD-12 for both physical and logical access.\n\nTo meet the audit objective for evaluating whether the HSPD-12 processes and\nprocedures were consistently applied throughout the SEC (i.e. at headquarters\nand the regional offices), the survey we issued included questions to pertaining\nto whether HSPD-12 processes and procedures were consistently applied for\nbadge issuance and enrolling badges into the SEC\xe2\x80\x99s physical access control\nsystem. The survey further included questions regarding whether equipment\nwas deployed to implement HSPD-12 initiative for both physical and logical\naccess, and procedures for revoking badges are consistent.\n\nSampling. We identified a population (universe) of \xe2\x80\x9call\xe2\x80\x9d badges that were issued\nto SEC staff and contractors at its headquarters and regional offices from FY\n2007 through FY 2010. Our universe was determined by (1) reviewing the SEC\xe2\x80\x99s\nphysical access control system, Diebold Hirsh; (2) reviewing the SEC\xe2\x80\x99s visitor\naccess control system; and (3) obtaining and reviewing a list of contractors that\nwas provided by OAS\xe2\x80\x99s Contracting Office.\n\n\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                 March 31, 2011\nReport No. 481\n                                               44\n\x0c                                                                       Appendix II\n\n\nBased on the universe of badges, we developed a testing strategy and verified\nthat the SEC\xe2\x80\x99s employees and contractors received an SEC badge and/or\nHSPD-12 badge based on the Commission\xe2\x80\x99s policies and procedures. From the\nSEC\xe2\x80\x99s physical access control log provided by the Physical Security Branch, we\njudgmentally selected visitors who visited the SEC\xe2\x80\x99s headquarters at least three\ntime in a week and up to five times in a week over a 90-day period.\n\nIn addition, we judgmentally selected a sample of four contracts that had an\neffective date between calendar year 2008 and calendar year 2010 to\ndetermined if the contracts contained Federal Acquisition Regulation clause\n52.204.9 as required by OMB Memorandum M-05.24, Office of Management and\nBudget (OMB) Memorandum M-05-24, dated August 5, 2005, Implementation of\nHomeland Security Presidential Directive (HSPD) 12 \xe2\x80\x93 Policy for a Common\nIdentification Standard for Federal Employees and Contractors.\n\nPrior OIG Reports and Memoranda. The following four prior OIG reports and\nmemoranda are relevant to this audit:\n\n    \xe2\x80\xa2   OIG Report of Investigation No. OIG-544, OIT Contract Employees Given\n        Access to SEC Buildings and Computer Systems for Several Weeks\n        Before Background Investigation Clearance, issued on January 20, 2011,\n        which contained four recommendations to strengthen management\n        controls pertaining to contractor access to SEC facilities and information\n        systems.\n    \xe2\x80\xa2   OIG Inspection Report No. 434, Background Investigations, issued on\n        March 28, 2008, which contained nine recommendations to strengthen\n        management controls over OHR\xe2\x80\x99s background investigation program.\n    \xe2\x80\xa2   OIG Investigative Memorandum No. G-444\xc2\xb8 Law Student Observer\n        Program, issued on June 29, 2006, which contained three\n        recommendations to strengthen management controls over OHR\xe2\x80\x99s\n        background investigation program, specifically for interns selected through\n        the SEC\xe2\x80\x99s Law Student Observer Program.\n    \xe2\x80\xa2   OIG Audit Memorandum No. 39, Operations Center Building Security,\n        issued on July 14, 2005, which contained three recommendations to\n        strengthen management controls over building security at the SEC\n        Operations Center located in Alexandria, Virginia.\n\nInternal Controls. The GAO Government Auditing Standards, effective January\n1, 2008, includes the requirement to understand internal controls that are\nsignificant within the context of the audit\xe2\x80\x99s objectives. The revised standards\nindirectly refer to the Internal Control \xe2\x80\x93 Integrated Framework (COSO Report),\npublished by the Committee of Sponsoring Organizations of the Treadway\nCommission (COSO) and GAO Standards for Internal Controls in the Federal\nGovernment. The COSO report provides the framework for organizations to\ndesign, implement, and evaluate controls that will facilitate compliance with\n\n\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                March 31, 2011\nReport No. 481\n                                               45\n\x0c                                                                       Appendix II\n\n\nfederal laws, regulations, and program compliance requirements. OIG used the\nCOSO framework to measure the SEC\xe2\x80\x99s control activities. Specifically, we\nreviewed the auditee\xe2\x80\x99s internal controls as they pertained to the audit objectives\nand applied the COSO framework\xe2\x80\x99s five components to assess whether the\nSEC\xe2\x80\x99s controls were adequate and to determine if the SEC had the needed\nprocesses and procedures in place to:\n\n    \xe2\x80\xa2   perform background investigations,\n    \xe2\x80\xa2   adjudicate results, and\n    \xe2\x80\xa2   issue credentials.\n\nFinally, we assessed the SEC\xe2\x80\x99s controls in determining the roles and\nresponsibilities of the offices that were involved in implementing the HSPD-12\ndirective and we evaluated whether HSPD-12 processes and procedures are\nconsistently applied throughout the agency.\n\nUse of Computer-Processed Data. We did not assess the reliability of the\nGSA\xe2\x80\x99s USAccess application, SEC\xe2\x80\x99s physical access control system (HIRSH),\nSEC\xe2\x80\x99s visitor badging system (EZLobby/eVisitor), the survey tool (Survey\nMonkey), and OMB\xe2\x80\x99s E-Government and Information Technology website (for\nHSPD-12 Implementation Status Reports) because these applications and\nsystems did not pertain to our audit objectives. Further, we did not perform any\ntests on the general or application controls over these automated systems, as\nthis was not in our scope. The information that was retrieved from these\nsystems, as well as the requested information that was provided to us was\nsufficient, reliable, and adequate to use to meet our stated objectives. In\naddition, we reviewed the following computer processed data (e.g., Excel\nspreadsheets) that OHR and OAS staff provided OIG:\n\n    \xe2\x80\xa2   list of current contractors,\n    \xe2\x80\xa2   list of employees with no investigation or noncompliant investigation over\n        15 years, and\n    \xe2\x80\xa2   list of employees with an investigation over 15 years who were\n        grandfathered.\n\n\n\n\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                March 31, 2011\nReport No. 481\n                                               46\n\x0c                                                                    Appendix III\n\n\n                                         Criteria\n\nHomeland Security Presidential Directive 12 (HSPD-12), Policy for a\nCommon Identification Standard for Federal Employees and Contractors.\nThis directive established the requirement for a mandatory, government-wide\nstandard for secure and reliable forms of identification issued by the federal\ngovernment to its employees and contractor employees assigned to government\ncontracts in order to enhance security, increase government efficiency, reduce\nidentity fraud, and protect personal privacy.\n\nOffice of Management and Budget (OMB) Memorandum M-05-24, August 5,\n2005, Implementation of Homeland Security Presidential Directive (HSPD)\n12 \xe2\x80\x93 Policy for a Common Identification Standard for Federal Employees\nand Contractors. This memorandum provides implementing instructions for the\nHSPD-12 Directive and Federal Information Processing Standard 201.\n\nDepartment of Commerce\xe2\x80\x99s Federal Information Processing Standard\n(FIPS) 201-1 \xe2\x80\x93 Personal Identity Verification (PIV) of Federal Employees and\nContractors. Establishes the minimum requirements for a federal personal\nidentity verification system (PIV-I) and detailed technical specifications of\ncomponents and processes required for interoperability of PIV credentials (PIV-\nII).\n\nSEC Administrative Regulations, Identification Cards, Press Passes and\nProximity Access Control Cards, SECR5-2, November 8, 1999. This\nregulation prescribes policies, procedures, and standards that govern the\nSecurities and Exchange Commission\'s (SEC) identification cards.\n\nUSA Access Program, PIV Card Issuer Operations Plan, Version 1.0,\nAugust 1, 2007, CM# GSA-DI-0000129-1.4.0. The PIV Card Issuer Operations\nPlan describes the operations and procedures at the MSO and agency levels,\nincluding the assignment of PIV roles and responsibilities.\n\nNIST, A Recommendation for the Use of PIV Credentials in Physical Access\nControl Systems (PACS), November 2008, Special Publication 800-116. This\npublication provides recommendations for the use of Personal Identity\nVerification credentials in physical access control systems.\n\nFederal Acquisition Regulation (FAR) 52.204-9, Personal Identity\nVerification of Contractor Personnel. The FAR is the principal set of rules for\nfederal acquisitions. It consists of regulations that govern the process through\nwhich the government acquires goods and services. As required by FIPS 201\nand OMB M-05-24, contracts and solicitations that require contractors to have\n\n\nThe SEC\xe2\x80\x99s Implementation and Compliance with HSPD-12                 March 31, 2011\nReport No. 481\n                                              47\n\x0c                                                                        Appendix III\n\n\nroutine physical access to a federally controlled facility or routine access to a\nfederally controlled information system should contain this provision.\n\nExecutive Order 13467, Reforming Processes Related to Suitability for\nGovernment Employment, Fitness for Contractor Employees, and Eligibility\nfor Access to Classified National Security Information. This Executive Order\nprovides the executive branch\xe2\x80\x99s policies and procedures relating to suitability,\ncontractor employee fitness, eligibility to hold a sensitive position, access to\nfederally controlled facilities and information systems, and eligibility for access to\nclassified information. It provides that these policies and procedures are to be\naligned using consistent standards to the extent possible, provide for reciprocal\nrecognition, and ensure cost-effective, timely, and efficient protection of the\nnational interest, while providing fair treatment to those upon whom the federal\ngovernment relies to conduct the nation\xe2\x80\x99s business and protect national security.\n\n\n\n\nThe SEC\xe2\x80\x99s Implementation and Compliance with HSPD-12                     March 31, 2011\nReport No. 481\n                                              48\n\x0c                                                                         Appendix IV\n\n\n                       List of Recommendations\n\nRecommendation 1:\n\nThe Office of Human Resources should immediately prepare formal, documented\nplans for initiating background investigations for all current employees who do\nnot have successfully adjudicated background investigations on record,\ncommensurate with risk.\n\nRecommendation 2:\n\nThe Office of Human Resources should immediately, but no later than 90 days\nafter the issuance of this report, initiate background investigations for all current\nemployees who do not have successfully adjudicated investigations on record,\ncommensurate with risk.\n\nRecommendation 3:\n\nThe Office of Administrative Services should identify and develop a consolidated\nlist of all contractors who are employed by the Commission. In addition, the\nOffice of Administrative Services should coordinate with the Contracting Officer\xe2\x80\x99s\nTechnical Representatives and Inspection and Acceptance Officials to implement\npolicies and procedures for ensuring that the list remains up to date.\n\nRecommendation 4:\n\nThe Office of Administrative Services should provide the Office of Human\nResources Personnel Security Branch with a copy of the up-to-date consolidated\ncontractor list on a weekly basis.\n\nRecommendation 5:\n\nUpon receipt of the up-to-date consolidated contractor list, the Office of Human\nResources Personnel Security Branch should determine which contractors do not\nhave successfully adjudicated background investigations on record and develop\na plan to begin the required background investigations immediately.\n\nRecommendation 6:\n\nUpon receipt of the up-to-date consolidated contractor list, the Office of Human\nResources should ensure that accurate status reporting has been made to the\nOffice of Management and Budget.\n\n\n\nThe SEC\xe2\x80\x99s Implementation and Compliance with HSPD-12                      March 31, 2011\nReport No. 481\n                                              49\n\x0c                                                                      Appendix IV\n\n\nRecommendation 7:\n\nThe Office of Executive Director should discontinue adjudicating all eligibility\ndeterminations for access to classified information or holding a sensitive position\nuntil the Securities and Exchange Commission has received an appropriate\ndelegation of authority to conduct such determinations from the Director of\nNational Intelligence.\n\nRecommendation 8:\n\nThe Office of Executive Director should identify all eligibility determinations for\naccess to classified information or holding a sensitive position adjudicated by the\nSecurities and Exchange Commission since June 30, 2008, and, upon receipt of\nauthority from the Director of National Intelligence, conduct a quality control\nassessment to ensure that the determinations were conducted in accordance\nwith the uniform policies and procedures developed by the Director of National\nIntelligence.\n\nRecommendation 9:\n\nThe Office of Executive Director, upon receipt of authority from the\nDirector of National Intelligence to make eligibility determinations for\naccess to classified information or holding a sensitive position, should use\nthe uniform policies and procedures developed by the Director of National\nIntelligence when making such determinations.\n\nRecommendation 10:\n\nThe Office of Administrative Services should immediately discontinue making\neligibility determinations for persons requiring temporary access to Securities and\nExchange Commission facilities or information systems without proper\nauthorization.\n\nRecommendation 11:\n\nThe Office of Administrative Services should immediately provide the Office of\nHuman Resources Personnel Security Branch with a list of all persons who have\nbeen provided or denied access based on the Physical Security Branch\xe2\x80\x99s risk\nassessments, as well as a copy of all fingerprints records, supporting\ndocumentation, and the results of the risk assessments.\n\n\n\n\nThe SEC\xe2\x80\x99s Implementation and Compliance with HSPD-12                   March 31, 2011\nReport No. 481\n                                              50\n\x0c                                                                       Appendix IV\n\n\nRecommendation 12:\n\nThe Office of Human Resources, in coordination with the Office of Administrative\nServices, should develop policies and procedures for determining the eligibility of\ncontractors and visitors and guests requiring temporary access to Securities and\nExchange Commission facilities or information systems.\n\nRecommendation 13:\n\nThe Office of Administrative Services should communicate to regional office staff\nits expectations for enrolling Personal Identity Verification credentials into their\nphysical access control systems and using the Personal Identity Verification\ncredential as the primary badge for physical access to Securities and Exchange\nCommission facilities.\n\nRecommendation 14:\n\nThe Office of Administrative Services should require administrative officers in the\nregional offices, or designated points of contact, to enroll Personal Identity\nVerification cards in the Securities and Exchange Commission\xe2\x80\x99s physical access\ncontrol system.\n\nRecommendation 15:\n\nThe Office of the Executive Director should communicate to all Securities and\nExchange Commission employees and contractors their responsibility to inform\nthe appropriate regional office official that they have been issued a Personal\nIdentity Verification card so that the card can be enrolled into the Securities and\nExchange Commission physical access control system.\n\nRecommendation 16:\n\nThe Office of the Executive Director should develop and implement a policy\nrequiring the Personal Identity Verification badge to be used as a common and\nprimary means of authentication for physical and logical access.\n\nRecommendation 17:\n\nThe Office of Administrative Services should revise and update its Identification\nCards, Press Passes and Proximity Access Control Cards policy to reflect current\nand proper practices for issuance and revocation of badges, including Personal\nIdentity Verification cards, to Securities and Exchange Commission employees\nand contractors at all Commission facilities and post the revised policy on the\nCommission\xe2\x80\x99s intranet site. In addition, the Office of Administrative Services\nshould communicate the new policy to all employees and contracting officials.\n\n\nThe SEC\xe2\x80\x99s Implementation and Compliance with HSPD-12                    March 31, 2011\nReport No. 481\n                                              51\n\x0c                                                                     Appendix IV\n\n\nRecommendation 18:\n\nThe Office of Administrative Services should develop and implement a plan to\nsystematically revoke all Commission-issued badges for all employees and\ncontractors who have been issued Homeland Security Presidential Directive 12\nbadges and ensure that the plan is implemented no later than 6 months after the\ndate this report is issued.\n\nRecommendation 19:\n\nThe Office of Human Resources should develop, implement, and post in multiple\nlocations (e.g., agency intranet site, human resources offices, regional offices,\ncontractor orientation) its appeals procedures for individuals who are denied\ncredentials or whose credentials are revoked.\n\nRecommendation 20:\n\nThe Office of Human Resources should develop internal policies and procedures\nfor suitability determinations for foreign nationals.\n\nRecommendation 21:\n\nThe Office of Information Technology should immediately conduct an audit of its\ninventory to identify and track all keyboards and laptops that contain card\nreaders.\n\nRecommendation 22:\n\nThe Office of Information Technology should promptly deploy appropriate\ntechnology (e.g., laptops with internal card readers, keyboards with card readers,\nor external card readers) to employees and contractors who do not have card\nreaders.\n\nRecommendation 23:\n\nThe Office of Information Technology should eliminate one full-time registrar and\nsplit the time of the other full-time registrar between the Operations Center and\nheadquarters locations.\n\nRecommendation 24:\n\nThe Office of Administrative Services should retain visitor control logs for a\nperiod not less than two years after final entry or two years after date of\ndocument in accordance with the National Archives and Records Administration\xe2\x80\x99s\nGeneral Records Schedule.\n\n\nThe SEC\xe2\x80\x99s Implementation and Compliance with HSPD-12                  March 31, 2011\nReport No. 481\n                                              52\n\x0c                                                                     Appendix IV\n\n\nRecommendation 25:\n\nThe Office of Administrative Services should perform periodic analysis of visitor\ndata to ensure that visitors are not circumventing the HSPD-12 requirements.\n\n\n\n\nThe SEC\xe2\x80\x99s Implementation and Compliance with HSPD-12                   March 31, 2011\nReport No. 481\n                                              53\n\x0c                                                                          Appendix V\n\n\n                       Schedule of Cost Savings\n\n                 Table 5. Schedule of Cost Savings\n                  SEC\xe2\x80\x99s Registrar Salaries                      Cost\n                                                               Savings\n\n                  Eliminate 1 full-time SEC registrar salary    $72,000\n                  at $72,000/year\n\n                  Eliminate \xc2\xbd full-time SEC registrar salary    $36,000\n                  at $36,000/year\n                  Total                                        $108,000\n                Source: OIG-generated.\n\n\n\n\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                   March 31, 2011\nReport No. 481\n                                               54\n\x0c                                                                                            Appendix VI\n\n\n                           Management\xe2\x80\x99s Comments\n\n\n\n\n                                           MEMORANDUM\n\n\n\n TO:             H. David Kotz\n                 Inspector General\n\n FROM:           Diego T. Ruiz,          Vl--i~\n                 Executive Director\n                 Office ofthe Executive Director (OED\n\n                 Jeffrey A. Risinger     ~ C\\ (7 - .\n                 Associate Executive 0   t                 . ~\n                 Office of Human Resources (OH )\n\n DATE:           March 28, 2011\n\n SUBJECT:        OED/OHR Joint Response to Report No. 481, Draft Implementation ofand\n                 Compliance with Homeland Security Presidential Directive 12\n\n        ~ memorandwn provides the OED and OHR response to OIG Report No. 481, dated\n March 10,2011. The OIG report contains 12 recommendations directed to OED and OHR\n (recommendations 1,2,5,6,7,8,9,12, 15, 16, 19,20). The report\'s remaining\n recommendations, which are directed to the Office ofAdministrative Services and the Office of\n Infunnation Technology, willl:!e respondect to in separate memorandwns from those offices.\n\n       We concur with each ofthese 12 recommendations directed to our offices, and will take\n immediate action to develop a corrective action plan to address these recommendations.\n\n         We also want to provide additional management comments with respect to two specific\n recommendatio~:                        .\n\n Recommendation 7: The Office ofExecutive Director should discontinue adjudicating all\n eligibility determinations for access to classified infunnation or holding a sensitive position until\n the Securities and Exchange Commission has received an appropriate delegation of authority to\n conduct such determinations from the Director ofNational Intelligence (DNI).\n\n  OED Response: OED concurs with this recommendation and has initiated contact with the DNI\n  to obtain the necesSary delegated adjudication authority. Should this process take longer than\n  several weeks, even fur an interim adjudication authority, we may be faced with the need to make\n. adjudications of current investigations. The OED \xc2\xb7wiiI work e~itiously.tocomplete this\n  recommendation and will keep the OIG infurmed about progress. and developments related to its\n  completion. .\n\n\n\n\n The SEC\xe2\x80\x99s Implementation and Compliance with HSPD-12                                         March 31, 2011\n Report No. 481\n                                                      55\n\x0c                                                                                     Appendix VI\n\n\n\n\n                                                                                                 2\n\nRecommendation 8: The office of Executive Director should identifY all eligtbility\ndetenninations fur access to classified infunnation or holding a sensitive position adjudicated by\nthe Securities and Exchange Conunission since June 30, 2008, and, upon receipt of authority from\nthe Director ofNational Intelligence (DNI), conduct a quality cOntrol assessment to ensure that\nthe determinations were conducted in accordance with the unifurm policies and procedures\ndeveloped by the ON!.\n\n OED Response:\xc2\xb7 OED concurs with this reconnnendation and will conduct a quality review of\n eligibility determinations made by the SEC after June 30, 2008. These determinations were made\n consiStent with E.O. 12968, and based upon t.he December 2005, Revised Adjudicative\n Guidelines for Determining Eligibility for Access to Classified I\'!formation. With only slight\n modifications in one area, these same guidelines have been adopted by the ONI in their Personnel\n Security Adjudicative Guidelines for Determining Eligibilityfor Access to Sensitive\n Compartme~dI\'!formation (SCI) and Other Controlkd Access Program Information (IC\n.Directive No. 704.2, effective October 2. 2008). Based on the similarity between the current DNI\n adjudicative guidelines and the 2005 guidelines used by the OED to adjudicate the post June 30,\n 2008 cases, it is our belief that upon review these detenninations will meet the current DNI\n adjudicative standards.\n\n       Thank you fur your fucus on this important area of agency operations, and fur allowing us\nthe opportunity to respond. If you have any questions regarding our response, please contact\nCarl Schilling at (202) 551-4358.\n\n\n\n\nThe SEC\xe2\x80\x99s Implementation and Compliance with HSPD-12                                   March 31, 2011\nReport No. 481\n                                                 56\n\x0c                                                                                    Appendix VI\n\n\n\n\n                                        MEMORANDUM\n\n                                         March 24, 2011\n\n\n     TO:           H. David Kotz\n                   Inspector General\n\n     FROM:         Sharon Sheehan\xc2\xb7      .1L\xe2\x80\xa2\xe2\x80\xa2 ~"Il1 e 1 .\n                   Associate ExecutivG~or\n                   Office ofAdministrative Services\n\n    SUBJECT:       OAS Management Response to Draft Report No. 481, Implementation of\n                   and Compliance with Homeland Security Presidential Directive 12\n\n    This memorandum is in response to the Office of Inspector Genera!\'s Draft Report No.\n    481, Implementatian ofand Compliance with Homeland Security Presidential Directive\n    12. Thimk you for the opportunity to review and respond to this report. We concur with\n    the nine recommendations addressed to OAS in the report and have begun tak;ing\n    appropriate steps to implement them.\n\n    Recommendation 3:\n\n     OAS concurs. OAS Security Branch wiJI maintain a list of all contractors who are\n     employed within the Commission, and develop policies and procedures for ensuring the\n    \xc2\xb7list remains current.\n\n    Recommendation 4:\n\n    OAS concurs. In the policy or procedures guide, OAS will establish the frequency and\n    method oftransmittal of the consolidated list of contractor personnel employed within the\n    Commission to the OHR Personnel Security Branch.\n\n    Recommendation 10:\n\n    OAS concurs. OAS will discontinue making eligibility determinations for persons\n    requiring temporary access to the SEC and iristead tum over the responsibility to the\n    OHR Personilel Security Branch.                   .\n\n    Recommendation 11:\n\n    OAS concurs. OAS Security Branch wiJI tum over all documentation in its possession\n    relating to the risk assessments conducted including lists ofpersons who have either been\n    denied or granted access to SEC space and copies of all fingerprint records.\n\n\n\n\nThe SEC\xe2\x80\x99s Implementation and Compliance with HSPD-12                                 March 31, 2011\nReport No. 481\n                                                57\n\x0c                                                                                     Appendix VI\n\n\n\n\n    Recommendation 13:\n\n    OAS concurs. OAS Security Branch will provide guidance to Regional Office (RO) staff\n    on the requirement to enroll personal identity verification (PlY) credentials into the RO\n    physical access control systems. Guidance will also designate the PlY credential be the\n    primary badge fur physical access to SEC filcilities.\n\n    Recommendation 17:\n\n    OAS concurs. OAS Security Branch will update the existing Identification Cards, Press\n    Passes and Proximity Access Cantrol Cards policy and post a revised access policy on\n    the SEC intranet site.\n\n    Recommendation 18:\n\n    OAS concurs. OAS Security Branch will develop and implement a plan to systematically\n    revoke all SEC-issued badges fur all employees and contractors who have been issued\n    HSPD-12 credentials. OAS will implement the plan within six months ofthe date of the\n    final 01G report.\n\n   .Recommendation 24:\n\n    OAS concurs. OAS Security Branch discussed this recommendation with OIT. OITlIas\n    confirmed that they will retain visitor control logs as specified in the National Archives\n    and Records Administration\'s General Records Schedule.\n\n\n    Recommendation 15:\n\n    OAS concurs. OAS Security Branch will perform regular reviews of visitor logs to ensure\n    visitors are not circumventing the HSPD-12 requirements.\n\n\n\n\nThe SEC\xe2\x80\x99s Implementation and Compliance with HSPD-12                                  March 31, 2011\nReport No. 481\n                                                58\n\x0c                                                                                              Appendix VI\n\n\n\n\n                                             MEMORANDUM\n\n\n\nTO:                 H. David Katz, Inspector General, Office of Inspector General\n\nFROM:               Thomas A. Bayer, Director, Office of Information Technolo\n\n\n\n\nRE:      Office of Information TechnologY\'s Response to the Office of Inspector General\'s Report,\nImplementation of and Compliance with Homeland Security Presidential Directive 12, Report No. 481\n\nDATE: March 25, 2011\n\n\n\nThis memorandum is in response to the Office of Inspector General\'s (DIG) Draft Report No. 481\nentitled, Implementation of and Compliance with Homeland Security Presidential Directive 12. Thank\nyou for the opportunity to review and respond to this report.\n\n\n\nOIG   Recomm~ndatJons:\n\n\nThe draft report had three recommendations for the Office of Information Technology (OIT):\n\nRecommendation 2J: The Office of Information Technology should immediately conduct an audit of its\ninventory to identify and track all keyboards and laptops that contain card readers.\n\nOIT concurs with this recommendation and is presently conducting an audit of its assets to identify all\nlaptops and desktops that do not have HSPD-12 complaint keyboards/card readers. This effort will be\ncomplete within the next 30 days.\n\nRecommendation 22: The Office of Information Technology should promptly deploy appropriate\ntechnology (e.g., laptops with internal card readers, keyboards with card readers, or ext!rnal card\nreaders) to employees and contractors who do not have card readers.\n\nOIT concurs with this recommendation and upon completion of the asset audit to identify all laptops\nand desktops that do not have HSPD-12 complaint keyboards/card readers, QIT will deploy complaint\ndevices to all SEC staff and contractors. This effort will be complete within the next 90 days.\n\nRecommendation 23: The Office of Information Technology should eliminate one-full time registrar and\nsplit the time of the other full-time registrar between the Operations Center and Headquarters locations.\n\nOIT concurs with this recommendation and will eliminate one full-time registrar after the ISS contract\ntransition at the Operations Center. This effort will be complete within the next 120 days as the registrar\ncontract expires.\n\n\n\n\nThe SEC\xe2\x80\x99s Implementation and Compliance with HSPD-12                                              March 31, 2011\nReport No. 481\n                                                       59\n\x0c                                                                      Appendix VII\n\n\n      OIG Response to Management\xe2\x80\x99s Comments\n\nWe are pleased that OAS, OED, OHR, and OIT have concurred with all of the\nreport\xe2\x80\x99s 25 recommendations. We are also encouraged that these offices have\nindicated that they have already taken steps to implement the recommendations\nand have also, in several cases, provided timelines for when additional steps will\nbe taken.\n\nThe OIG audit found deficiencies in nearly every aspect of the SEC\xe2\x80\x99s HSPD-12\nprogram, as well as significant concerns about the SEC\xe2\x80\x99s authority to determine\neligibility for access to classified information and the current process for granting\ntemporary access to SEC facilities. Swift implementation of all of the report\xe2\x80\x99s\nrecommendations is critical to ensuring that the SEC becomes compliant with the\nHSPD-12 directive.\n\n\n\n\nThe SEC\xe2\x80\x99s Implementation of and Compliance with HSPD-12                 March 31, 2011\nReport No. 481\n                                               60\n\x0c                     Audit Requests and Ideas\n\nThe Office of Inspector General welcomes your input. If you would like to\nrequest an audit in the future or have an audit idea, please contact us at:\n\nU.S. Securities and Exchange Commission\nOffice of Inspector General\nAttn: Assistant Inspector General, Audits (Audit Request/Idea)\n100 F Street, N.E.\nWashington D.C. 20549-2736\n\nTel. #: 202-551-6061\nFax #: 202-772-9265\nEmail: oig@sec.gov\n\n\n\n\n      Hotline\n      To report fraud, waste, abuse, and mismanagement at SEC,\n      contact the Office of Inspector General at:\n\n      Phone: 877.442.0854\n\n      Web-Based Hotline Complaint Form:\n      www.reportlineweb.com/sec_oig\n\x0c'